Breaking Down the Latest February 2025 Patch Tuesday Report

Microsoft has released its February 2025 Patch Tuesday security updates, addressing 55 vulnerabilities across Windows, Office, Exchange Server, Azure, Dynamics, and other products. This month's release includes fixes for four zero-day vulnerabilities, with two being actively exploited in the wild.

The February 2025 Patch Tuesday includes patches for 3 critical vulnerabilities and 52 rated as important. The most common vulnerability types addressed are remote code execution (22 bugs), elevation of privilege (19 bugs), denial of service (9 bugs), spoofing (3 bugs), security feature bypass (2 bugs), and information disclosure (1 bug).

The two actively exploited zero-days are:

The two publicly disclosed zero-days are:

Other critical vulnerabilities patched this month include remote code execution flaws in Windows LDAP (CVE-2025-21376), Windows DHCP Server (CVE-2025-21379), and Microsoft Excel (CVE-2025-21381).

Key products receiving security updates include Windows, Office, Microsoft Edge, Azure Network Watcher, Windows DHCP Client, Windows Message Queuing, Windows Resilient File System Deduplication Service, Windows CoreMessaging, Microsoft Surface, Microsoft High Performance Compute Pack Linux Node Agent, Visual Studio, and Microsoft PC Manager.

This report will analyze these vulnerabilities in detail, examining their potential impact and providing remediation advice to help organizations prioritize their patching efforts for February 2025.

Let me know if you would like me to modify any part of this introduction to better match the style of the example reports.

Key Highlights - Patch Tuesday February 2025

In February's Patch Tuesday, Microsoft addressed 55 flaws, including four zero-day vulnerabilities, with two of them actively exploited in the wild. This update included patches across categories like elevation of privilege, remote code execution, spoofing, denial of service, security feature bypass, and information disclosure vulnerabilities.

The key affected products in this release span across Microsoft's ecosystem, including Windows, Office, Exchange Server, Azure, Dynamics 365, and others. It is crucial for administrators and end users to apply these security updates promptly to protect their systems from these vulnerabilities.

Key Highlights are:

4. Actively Exploited Zero-Days: The actively exploited zero-day vulnerabilities patched include:

5. Critical-Rated Bugs: Other critical-rated bugs include:

6. Non-Critical Notables: Other major issues include remote code executions in Office, SharePoint, Windows Telephony Service components, plus information disclosure bugs and denial of service vulnerabilities across Windows components.

This February's Patch Tuesday highlights Microsoft's ongoing commitment to securing its wide range of products against ever-evolving cybersecurity threats.

Zero-day Vulnerabilities Patched in February 2025

Microsoft addressed four zero-day vulnerabilities in the February 2025 Patch Tuesday release. Two of these vulnerabilities were actively exploited in the wild prior to patches being made available. Let's examine each of these critical vulnerabilities:

CVE-2025-21391 - Windows Storage Elevation of Privilege Vulnerability

This vulnerability exists in Windows Storage, a core Windows feature that manages how data is stored on a computer. An attacker exploiting this vulnerability would only be able to delete targeted files on a system. According to Microsoft's advisory, while this vulnerability does not allow disclosure of any confidential information, it could enable an attacker to delete data that could result in service unavailability.

Microsoft has confirmed active exploitation of this vulnerability in the wild, though no information has been released about how this flaw was exploited in attacks or who disclosed it.

CVE-2025-21418 - Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

This vulnerability exists in the Windows Ancillary Function Driver for WinSock, a core system driver that provides low-level functionality to the WinSock API. Successful exploitation could allow an attacker to gain SYSTEM privileges on affected systems. Microsoft has confirmed this vulnerability is being actively exploited in the wild, though details about the exploitation have not been disclosed.

CVE-2025-21194 - Microsoft Surface Security Feature Bypass Vulnerability

This vulnerability is a hypervisor vulnerability that could allow attacks to bypass UEFI and compromise the secure kernel. According to Microsoft's advisory, "On some specific hardware it might be possible to bypass the UEFI, which could lead to the compromise of the hypervisor and the secure kernel." The vulnerability was discovered by Francisco Falcón and Iván Arce of Quarkslab and is likely connected to the PixieFail flaws disclosed by the researchers last month.

CVE-2025-21377 - NTLM Hash Disclosure Spoofing Vulnerability

This publicly disclosed vulnerability could expose a Windows user's NTLM hashes, allowing a remote attacker to potentially log in as the user. Microsoft's advisory notes that "Minimal interaction with a malicious file by a user such as selecting (single-click), inspecting (right-click), or performing an action other than opening or executing the file could trigger this vulnerability."

The vulnerability likely acts like other NTLM hash disclosure flaws, where simply interacting with a file rather than opening it could cause Windows to remotely connect to a remote share. When doing so, an NTLM negotiation passes the user's NTLM hash to the remote server, which the attacker can collect. These NTLM hashes can then be cracked to obtain the plain-text password or used in pass-the-hash attacks.

This vulnerability was discovered by Owen Cheung, Ivan Sheung, and Vincent Yau with Cathay Pacific, Yorick Koster of Securify B.V., and Blaz Satler with 0patch by ACROS Security.

Based on the provided documents, I'll create a table summarizing the zero-day vulnerabilities:

This table succinctly presents the key details of each zero-day vulnerability patched in the February 2025 update, including their severity ratings, exploitation status, and public disclosure status.

Critical Vulnerabilities Patched in February 2025

Three vulnerabilities with critical severity scores in February 2025 patch reports are:

CVE-2025-21376 - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability

Windows Lightweight Directory Access Protocol (LDAP) is a standard network protocol that allows users to access and manage information within a directory service. The protocol provides a way to centrally store and manage user information across a network, often used for authentication and single sign-on (SSO) purposes within a company.

An unauthenticated attacker could exploit the vulnerability by sending a specially crafted request to a vulnerable LDAP server. Successful exploitation requires an attacker to win a race condition, which could lead to a buffer overflow that could be leveraged to execute remote code.

CVE-2025-21379 - DHCP Client Service Remote Code Execution Vulnerability

A DHCP Client Service refers to the software component on a computer that allows it to automatically acquire network configuration details like an IP address, subnet mask, and default gateway from a DHCP server on the network.

The vulnerability can be exploited by a machine-in-the-middle (MITM) attack. The vulnerability is only limited to systems connected to the same network segment as the attacker. The vulnerability cannot be exploited across multiple networks (for example, a WAN) and would be limited to systems on the same network switch or virtual network.

CVE-2025-21381 - Microsoft Excel Remote Code Execution Vulnerability

Microsoft Excel is a spreadsheet program that allows users to create, edit, analyze, and present data. It's part of the Microsoft Office and Microsoft 365 suites.

Successful exploitation of the vulnerability may allow an attacker to achieve remote code execution. The Preview Pane is listed as an attack vector, meaning previewing alone could trigger exploitation and code execution. Attack vectors include convincing users to open malicious emails or attachments.

Here is a summary table of the critical vulnerabilities:

These critical vulnerabilities should be prioritized in patching schedules due to their severe potential impact on system security. Organizations should apply the patches as soon as possible after appropriate testing.

Based on the provided documents, I'll create a detailed table summarizing the critical vulnerabilities:

The table presents key details about each critical vulnerability including:

This information helps security teams understand and prioritize these critical vulnerabilities in their patching schedules.

Vulnerabilities by Category

In total, 55 vulnerabilities were addressed in February's Patch Tuesday. Remote code execution vulnerabilities lead the volume with 22 patches, followed by elevation of privilege at 19 vulnerabilities. The rest consist of denial of service (9), spoofing (3), security feature bypass (2), and information disclosure (1) flaws.

Here is the breakdown of the categories patched this month:

1. Remote Code Execution - 22

2. Elevation of Privilege – 19

3. Denial of Service – 9

4. Spoofing – 3

5. Security Feature Bypass – 2

6. Information Disclosure – 1

The table below shows the CVE IDs mapped to these vulnerability types from Microsoft's February 2025 Patch Tuesday:

Remote code execution vulnerabilities continue to represent the highest proportion at 40% of the February updates. The second most prevalent category is elevation of privilege at 34.5%. While less frequent, denial of service, spoofing, security feature bypass, and information disclosure flaws also received important fixes this month.

List of Products Patched in February 2025 Patch Tuesday Report

Microsoft's February 2025 Patch Tuesday includes updates for a broad range of its products, applications, and services. Here are the applications and product components that have received patches:

This comprehensive patching covers Microsoft's core operating systems, productivity applications, development tools, and cloud services, reflecting the company's commitment to addressing security vulnerabilities across its entire product ecosystem.

Summary tables

Apps vulnerabilities

Azure vulnerabilities

Browser vulnerabilities

Developer Tools vulnerabilities

Developer Tools Mariner vulnerabilities

Device vulnerabilities

ESU Windows vulnerabilities

Microsoft Dynamics vulnerabilities

Microsoft Office vulnerabilities

Windows vulnerabilities

Bottom Line

Microsoft's February 2025 Patch Tuesday release addressed 55 total vulnerabilities, headlined by fixes for four zero-day flaws:

Additional key vulnerabilities included:

In total, 22 remote code execution bugs and 19 elevation of privilege flaws were addressed this month. Information disclosure, spoofing, denial of service, and security feature bypass issues rounded out the rest.

The extensive patch load stresses the importance of continuous monitoring, vulnerability management, and updating to counter sophisticated multi-stage attacks targeting enterprise networks. Prioritizing remediation efforts by potential business impact is crucial.

We aim to keep readers informed each month in our Patch Tuesday reports. Please follow our website thesecmaster.com or subscribe to our social media pages on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram to receive similar updates.

You may also like these articles: