Microsoft, on Tuesday, released its February 2025 Patch Tuesday, which addresses 63 security vulnerabilities, including four zero-day vulnerabilities, of which two are being actively exploited in the wild and two are publicly exposed zero-day vulnerabilities.
Of the 63 flaws, three are critical, 53 are Important, and one is moderately severe.
These vulnerabilities occurred across different platforms, including Windows and Windows Components, Office and Office Components, Azure, Visual Studio, and Remote Desktop Services.
Further, the three vulnerabilities marked as “critical” were fixed in February 2025 Patch Tuesday. All of these were remote code execution (RCE) flaws, which, if exploited, could have allowed an attacker to run arbitrary code on the device.
Furthermore, the two actively exploited zero-day vulnerabilities in the wild that Microsoft has addressed in the February 2025 Patch Tuesday update are:
CVE-2025-21391 (CVSS 7.1) – Windows Storage Elevation of Privilege Vulnerability
This Elevation of Privilege (EoP) vulnerability in Windows Storage allows a local, authenticated attacker to delete targeted files on a system.
“An attacker would only be able to delete targeted files on a system. This vulnerability does not allow disclosure of any confidential information, but could allow an attacker to delete data that could include data that results in the service being unavailable,” reads Microsoft’s advisory.
No details about how this flaw was exploited in attacks or who reported it have been revealed.
CVE-2025-21418 (CVSS 7.8) – Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
The second actively exploited vulnerability allows an attacker to run a crafted program to gain SYSTEM privileges in Windows.
It remains unclear how this flaw was exploited in attacks, and Microsoft states that it was disclosed anonymously.
Additionally, the other two publicly disclosed zero-days that were patched in the February 2025 Patch Tuesday update are:
CVE-2025-21194 (CVSS 7.1) – Microsoft Surface Security Feature Bypass Vulnerability
According to Microsoft, this hypervisor flaw allows attackers to bypass UEFI and compromise the secure kernel on Surface devices. It is likely linked to the PixieFail vulnerabilities.
“This Hypervisor vulnerability relates to Virtual Machines within a Unified Extensible Firmware Interface (UEFI) host machine. On some specific hardware it might be possible to bypass the UEFI, which could lead to the compromise of the hypervisor and the secure kernel,” explains Microsoft’s advisory.
The tech giant credited Francisco Falcón and Iván Arce of Quarkslabfor discovering and reporting the vulnerability.
CVE-2025-21377 (CVSS 6.5) – NTLM Hash Disclosure Spoofing Vulnerability
This flaw exposes a Windows user’s NTLM hashes, which allows a remote attacker to steal Windows user hashes via minimal file interaction and potentially log in as the user.
“Minimal interaction with a malicious file by a user such as selecting (single-click), inspecting (right-click), or performing an action other than opening or executing the file could trigger this vulnerability,” explains Microsoft’s advisory.
Microsoft credited the flaw’s discovery to Owen Cheung, Ivan Sheung, and Vincent Yau with Cathay Pacific, Yorick Koster of Securify B.V., and Blaz Satler with 0patch by ACROS Security.
To install the February 2025 Patch Tuesday security update, go to Settings > Update & Security > Windows Update and click the Check for updates button.
You can also check out the complete list of vulnerabilities addressed by Microsoft in the February 2025 Patch Tuesday security updates here.
