Microsoft Patch Tuesday February 2025

Microsoft has released its latest round of security updates as part of February 2025’s Patch Tuesday, addressing 55 vulnerabilities across its software and services. This month's update includes fixes for four zero-day vulnerabilities, with two actively exploited in real-world attacks.

Among the patched flaws, three are classified as Critical, all of which are remote code execution vulnerabilities—highlighting the urgency for organisations to apply these updates promptly.

The breakdown of vulnerabilities by category is as follows:

• 19 Elevation of Privilege Vulnerabilities
• 2 Security Feature Bypass Vulnerabilities
• 22 Remote Code Execution Vulnerabilities
• 1 Information Disclosure Vulnerabilities
• 9 Denial of Service Vulnerabilities
• 3 Spoofing Vulnerabilities

It's important to note that the figures above do not account for a critical privilege escalation vulnerability in Microsoft Dynamics 365 Sales or the 10 security flaws in Microsoft Edge, which were already patched on February 6.

Actively Exploited Zero-Days Addressed

This month’s Patch Tuesday also tackles four zero-day vulnerabilities, two of which were actively exploited before a fix became available.

Microsoft defines a zero-day vulnerability as a security flaw that has either been publicly disclosed or actively targeted by attackers before an official patch exists, making swift remediation critical.

Breaking Down the Actively Exploited Zero-Days

This month’s security updates address two actively exploited zero-day vulnerabilities, both of which have the potential to be leveraged by attackers in real-world scenarios.

Windows Storage Elevation of Privilege Vulnerability (CVE-2025-21391)

One of the patched zero-days is a privilege escalation flaw in Windows Storage, which allows attackers to delete targeted files on a system.

According to Microsoft, this vulnerability does not expose sensitive information, but it could enable an attacker to remove critical files, potentially leading to system instability or service disruptions.

At this time, Microsoft has not disclosed details on how this vulnerability has been exploited in the wild or the identity of the researcher who reported it.

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability (CVE-2025-21418)

The second actively exploited flaw impacts the Windows Ancillary Function Driver for WinSock, enabling attackers to gain SYSTEM-level privileges on a compromised machine.

Details on the method of exploitation remain unknown, and Microsoft states that this vulnerability was disclosed anonymously.

Publicly Disclosed Zero-Days

Alongside the actively exploited vulnerabilities, Microsoft has also addressed two publicly disclosed zero-day flaws, which could give attackers a head start in crafting exploits.

Microsoft Surface Security Feature Bypass Vulnerability (CVE-2025-21194)

This flaw affects Microsoft’s hypervisor technology and has the potential to bypass UEFI protections, compromising the secure kernel of a system.

According to Microsoft, the issue is related to Virtual Machines operating within UEFI environments, where certain hardware configurations could allow attackers to bypass security measures and compromise the hypervisor.

Security researchers Francisco Falcón and Iván Arce from Quarkslab identified this vulnerability, which appears to be linked to the PixieFail disclosure. PixieFail refers to a collection of nine vulnerabilities in the IPv6 network protocol stack of Tianocore's EDK II, affecting Microsoft Surface devices and related hypervisor products.

NTLM Hash Disclosure Spoofing Vulnerability (CVE-2025-21377)

Another significant flaw patched this month relates to NTLM hash exposure, which could allow attackers to remotely authenticate as a Windows user.

This vulnerability does not require a user to open or execute a malicious file—simply interacting with it (such as a right-click or single-click) could trigger an automatic NTLM hash transmission to an attacker's remote server. Once obtained, these NTLM hashes can be cracked or used in pass-the-hash attacks to gain unauthorized access.

Staying Proactive

Zero-day vulnerabilities and actively exploited threats highlight the need for rapid response and ongoing security monitoring. If your organisation needs help assessing its security posture or responding to cyber threats, our cyber security experts are ready to assist—schedule a consultation.