As part of the February Patch Tuesday 2025 security update package, Microsoft released updates that fix 55 vulnerabilities, including four zero-day vulnerabilities, two of which are already being actively exploited by attackers in real-world attacks.
Image source: Andras Vas / Unsplash
Additionally, as reported by BleepingComputer, the update fixes three critical vulnerabilities related to remote code execution. In addition to the listed issues, the update includes fixes for a wide range of errors, divided into categories:
- 19 Privilege Escalation Errors
- 2 Errors Related to Bypassing Security Features
- 22 Remote Code Execution Errors
- 1 Mistake Related to Disclosure
- 9 Denial of Service Errors
- 3 Mistakes Related to Spoofing.
It should be noted that these figures do not include a critical privilege escalation vulnerability in Microsoft Dynamics 365 Sales and 10 vulnerabilities in Microsoft Edge that were addressed in a separate update on February 6.
Two actively exploited zero-day vulnerabilities patched this month pose the biggest threat. One of them, CVE-2025-21391, is a privilege escalation vulnerability in Windows Storage. An attacker who exploits this hole could delete targeted files on a device, and while it doesn’t expose sensitive information, it could render the system unusable, Microsoft says.
The second vulnerability being actively exploited is CVE-2025-21418, a privilege escalation vulnerability in the Ancillary Function Driver for WinSock. This vulnerability allowed attackers to gain SYSTEM privileges in Windows. Microsoft did not provide details on how exactly this was used in attacks.
Two other zero-day vulnerabilities addressed in this release were publicly disclosed before the patch was released. CVE-2025-21194 is a security feature bypass bug in Microsoft Surface that allowed the UEFI security to be bypassed and the secure kernel to be compromised. Microsoft said the vulnerability is related to virtual machines on UEFI host machines, while French cybersecurity firm Quarkslab also clarified that it may also be related to the PixieFail series of vulnerabilities affecting the IPv6 network protocol stack.
The latest spoofing vulnerability, CVE-2025-21377, allowed attackers to expose Windows users’ NTLM hashes for remote login or pass-the-hash attacks, which allows a hacker to log in to a remote server that authenticates using the LM or NTLM protocol. Microsoft explains that “minimal user interaction with a malicious file, such as a single click or right-click, or performing an action other than opening or executing the file, triggers this vulnerability.”