Patch Tuesday: Microsoft Patches Two Actively Exploited Zero-Day Flaws

The monthly report is relatively lightweight, with some mobile updates or fixes that have already been performed server-side and shouldn’t be a concern to admins, said Tyler Reguly, associate director of security R&D at global cybersecurity software and services provider Fortra. Another vulnerability impacts only Microsoft Surface hardware.

February update patches two exploited vulnerabilities

The two exploited vulnerabilities are:

• CVE-2025-21391, a Windows storage flaw that could let a threat actor delete files.
• CVE-2025-21418, an opening for privilege escalation beginning in Windows Ancillary Function Driver for WinSock.

“While both vulnerabilities are rated Important by Microsoft and have CVSS scores in the 7.x range, I would treat the Windows AFD for WinSock vulnerability as critical when it comes to patching, given that it has seen active exploitation,” Reguly said in an email to TechRepublic.

Vulnerabilities have been found in the Windows Ancillary Function Driver for WinSock nine times since 2022, including instances attributed to a North Korea-sponsored advanced persistent threat group, Tenable senior staff research engineer Satnam Narang pointed out in a comment to KrebsonSecurity.

“The root cause is insufficient validation of user-supplied input, allowing low-privileged users to send specially crafted data that overflows the buffer,” wrote Mike Walters, president and co-founder of patch management company Action1 in a blog post.

No user interaction is required to patch either of the exploited vulnerabilities.

CVE-2025-21391, the zero-day Windows storage flaw, stems from the way Windows resolves file paths and follows links, Walters said. File deletion is just the beginning of the problems it could cause, as it could lead to privilege escalation, unwanted access to security logs or configurations, malware injection, data manipulation, or other attacks.

“With a CVSS score of 7.1, the CVSS metrics outline that this vulnerability doesn’t affect confidentiality, so no sensitive data can be accessed,” said Kev Breen, senior director of threat research at cybersecurity platform maker Immersive, in an email to TechRepublic. “However, it can severely affect data integrity and availability.”

One vulnerability scores CVSS 9.0

The highest CVSS score addressed in the February patch pack is CVE-2025-21198, rated at 9.0. This CVE could let a threat actor perform a remote attack against a Linux agent in High Performance Computing clusters. However, it only works if the attacker already has access to the network the cluster is attached to.

“This networking requirement should limit the impact of what would otherwise be a more serious vulnerability,” Reguly said.

SEE: Microsoft PowerToys now includes Sysinternals’ ZoomIT, a screen recording tool meant for technical presentations.

Microsoft patches spoofing bug affecting all client and server versions

CVE-2025-21377 was already publicly disclosed, but the patch is rolling out today. With this vulnerability a threat actor could reveal a user’s NTLMv2 hash, letting the attacker spoof the user’s identity. Walters said any organization using Windows systems that do not exclusively rely on Kerberos for authentication is at risk.

CVE-2025-21377 is “another CVE to patch sooner rather than later,” Breen said.

“The user doesn’t have to open or run the executable but simply viewing the file in Explorer could be enough to trigger the vulnerability,” said Breen. “This specific vulnerability is known as an NTLM relay or pass-the-hash attack and this style of attack is a favorite for threat actors as it allows them to impersonate users in the network.”

Finally, Ben McCarthy, lead cybersecurity engineer at Immersive, pointed out CVE-2025-21381, a vulnerability allowing for remote code execution in Excel.

“Excel vulnerabilities are particularly dangerous because Excel macros and embedded scripts have historically been a major attack vector for APT groups, ransomware operators, and financial fraud campaigns, often bypassing traditional security defenses,” McCarthy said.

Other major patches across brands

As Walters pointed out, Chrome 131 landed recently, bringing patches for several memory vulnerabilities. None of the vulnerabilities Google identified have been exploited. Apple has also started rolling out iOS 18.3.1, which includes a fix for a physical attack that may have been exploited against specific individuals. Ivanti recommended admins to watch for updates from Google Chrome and Microsoft Edge this week.

“Browsers are a prime target for attackers to target users,” IT software company Ivanti’s vice president of product management for security products Chris Goettl wrote in a blog post. “While including browsers in your monthly update process is recommended, it leaves a lot of CVEs exposed in between cycles. It’s recommended to move browsers to a weekly Priority Updates cadence.”

Last but not least, Adobe released updates for InDesign, Photoshop Elements, Illustrator, and more.