Microsoft has patched 55 CVEs in its February 2025 Patch Tuesday release, with three rated critical and 52 rated as important. Two of the vulnerabilities were exploited in the wild.
The update included patches for:
- Active Directory Domain Services
- Azure Active Directory
- Azure Firmware
- Azure Network Watcher
- Microsoft AutoUpdate (MAU)
- Microsoft Digest Authentication
- Microsoft High Performance Compute Pack (HPC) Linux Node Agent
- Microsoft Office
- Microsoft Office Excel
- Microsoft Office SharePoint
- Microsoft PC Manager
- Microsoft Streaming Service
- Microsoft Surface
- Microsoft Windows
- Outlook for Android
- Visual Studio
- Visual Studio Code
- Windows Ancillary Function Driver for WinSock
- Windows CoreMessaging
- Windows DHCP Client
- Windows DHCP Server
- Windows DWM Core Library
- Windows Disk Cleanup Tool
- Windows Installer
- Windows Internet Connection Sharing (ICS)
- Windows Kerberos
- Windows Kernel
- Windows LDAP – Lightweight Directory Access Protocol
- Windows Message Queuing
- Windows NTLM
- Windows Remote Desktop Services
- Windows Resilient File System (ReFS) Deduplication Service
- Windows Routing and Remote Access Service (RRAS)
- Windows Setup Files Cleanup
- Windows Storage
- Windows Telephony Server
- Windows Telephony Service
- Windows Update Stack
- Windows Win32 Kernel Subsystem
Remote code execution (RCE) vulnerabilities accounted for 38.2% of the vulnerabilities patched this month, followed by elevation of privilege (EoP) vulnerabilities at 34.5%.
Cybersecurity company Tenable says the tally omitted one vulnerability reported by HackerOne.
“The two zero days exploited in the wild include CVE-2025-21418, an elevation of privilege vulnerability in afd.sys, the Windows Ancillary Function Driver that interfaces with the Windows Sockets API (or WinSock) to enable Windows applications to connect to the internet,” said Tenable Senior Researcher Satnam Narang. “The second zero day is CVE-2025-21391, an elevation of privilege flaw in the way Windows handles file storage.”
“Both flaws appear to be post-compromise related, which means an attacker would need to obtain local access to a vulnerable system through other means, like exploiting another vulnerability for initial access, some type of social engineering, or compromised/weak credentials,” he added. “In 2025, five zero days were exploited in the wild as part of Patch Tuesday, and all five were elevation of privilege flaws.”
“Since 2022, there have been nine elevation of privilege vulnerabilities in the Ancillary Function Driver for WinSock, three each year, including one in 2024 that was exploited in the wild as a zero day (CVE-2024-38193),” said Narang. “According to the reports, CVE-2024-38193 was exploited by the North Korean APT group known as Lazarus Group (also known as Hidden Cobra or Diamond Sleet) to implant a new version of the FudModule rootkit in order to maintain persistence and stealth on compromised systems. At this time, it is unclear if CVE-2025-21418 was also exploited by Lazarus Group.”
“Conversely, there have been seven elevation of privilege bugs categorized as Windows Storage, including two in 2022, one in 2023 and four in 2024, though this is the first to be categorised as exploited in the wild as a zero day.”
