Microsoft plugs two zero-days for February Patch Tuesday

Microsoft plugs two new and one old zero-day

The first new zero-day is a Windows Ancillary Function Driver for WinSock elevation-of-privilege vulnerability (CVE-2025-21418) rated important with a CVSS score of 7.8. This bug affects all currently supported Windows desktop and server systems. 

The attack vector is local, meaning the attacker needs local access -- physically or remotely, using a method such as SSH -- and does not require user interaction. A successful exploit can give the attacker system privileges.

"This is the nastiest elevation of privilege that gives the attacker control of the box," said Chris Goettl, vice president of product management for security products at Ivanti. "Risk-based prioritization would warrant treating this as a higher severity, so critical rather than important, because it's being actively targeted."

Goettl said it's only a matter of time before the exploit code becomes widely available, which should push admins to patch their Windows systems quickly. 

The second new zero-day is a Windows Storage elevation-of-privilege vulnerability (CVE-2025-21391) rated important with a CVSS rating of 7.1. This flaw affects Windows Server editions from Windows Server 2016 and later and desktop editions, including Windows 10 and later versions.

To exploit the vulnerability, the attacker only needs local access to the network with low privileges. If successful, the attacker can delete files on a system to cause service disruptions and possibly perform other actions, such as elevating their privileges. 

A Windows zero-day Microsoft first addressed on May 9, 2023, resurfaced for February Patch Tuesday. Microsoft delivered a revision for a Secure Boot security feature bypass vulnerability (CVE-2023-24932) to include more affected systems: Windows 11 versions 22H2, 23H2 and 24H2, and Windows Server 2025.

Microsoft addresses two publicly disclosed vulnerabilities

The first publicly disclosed vulnerability is an NTLM Hash Disclosure spoofing vulnerability (CVE-2025-21377) rated important with a 6.5 CVSS score. This flaw affects most Windows desktop and server systems. Microsoft tagged this vulnerability with an "exploitation more likely" assessment.

Microsoft's CVE notes indicate attackers can exploit this vulnerability across the internet, and it only requires minimal user interaction, such as a right-click on a malicious file, to trigger the exploit. Admins who deploy the "security only" updates on older Windows Server systems must apply the Internet Explorer cumulative update to protect the MSHTML, EdgeHTML and scripting platforms. 

"It's not actively being exploited in the wild, but there is confirmed exploit code, so the likelihood of somebody finding the code and trying to weaponize it means the bar is much lower," Goettl said.

In June 2024, Microsoft added the NTLM authentication protocol to its deprecated features list. While NTLM will continue to work, it is no longer under active development. Microsoft advises customers to seek more secure user authentication methods, such as Kerberos, and avoid falling back on NTLM.

The other public disclosure is a Microsoft Surface security feature bypass vulnerability (CVE-2025-21194) rated important for several Surface products, including the Microsoft Surface Hub and Surface laptops. This vulnerability has a CVSS rating of 7.1

To exploit this vulnerability, an attacker must overcome several technical hurdles, such as gaining access to a restricted network and forcing the user to reboot the device.

Other security updates of note for February Patch Tuesday

One critical vulnerability corrected this month is a Microsoft Excel remote-code execution flaw (CVE-2025-21381) that affects several Microsoft Office releases, including Microsoft 365 Apps, Office 2019 and Office for Mac. The CVSS rating is 7.8. 

An attacker only needs to get a user to view a malicious Excel document in a preview pane to trigger the exploit on the local machine.

"If you are in Outlook and the Excel document opens in the preview pane, then it can launch an attack with arbitrary code execution," Goettl said. "At this point, the attacker can install something, perform privilege escalation or execute any range of actions to get a foothold in the organization."

This vulnerability is one of six Excel flaws -- CVE-2025-21383, CVE-2025-21386, CVE-2025-21387, CVE-2025-21390 and CVE-2025-21394 -- that Microsoft corrected this month.  

Another critical vulnerability is a Windows Lightweight Directory Access Protocol (LDAP) remote-code execution flaw (CVE-2025-21376) that affects most supported Windows desktop and server systems. This flaw has a CVSS rating of 8.1, and Microsoft gave it an "exploitation more likely" assessment.

An attacker on the network must win a race condition to trigger the exploit. Because the attacker does not need privileges or user interaction, this vulnerability is considered more serious due to the potential risk to affected systems. 

"An unauthenticated attacker could send a specially crafted request to a vulnerable LDAP server. Successful exploitation could result in a buffer overflow which could be leveraged to achieve remote code execution," Microsoft wrote in the CVE notes. 

 Tom Walat is the site editor for Informa TechTarget Editorial's Windows Server site, managing all site content. Walat previously worked for a newspaper in the Greater Boston area.