Patch Tuesday | February 2025

Every month on the second Tuesday, Microsoft and other vendors release security software patches in what has become known as Patch Tuesday. This month, Microsoft disclosed patches for 57 vulnerabilities that included 2 zero-days, 2 that were previously disclosed, 3 vulnerabilities classified as Critical, and 16 of the total landed CVSS base scores over 8.

The two zero-day vulnerabilities patched this Tuesday are both elevation of privilege vulnerabilities that were marked with an important severity level. CVE-2025-21391 affects Windows storage and only allows for elevation of privileges to delete files. It was provided a CVSS 3.1 base score of 7.1, but exploitation of it has been detected. The other, CVE-2025-21418, affects the Windows ancillary function driver for WinSock and could provide SYSTEM level privileges. It was given a base score of 7.8 and exploitation of it has also been detected.

A security feature bypass vulnerability, CVE-2025-21194, was previously disclosed by researchers at Quarkslab. It was given important severity level and a CVSS base score of 7.1 and requires several conditions to be met before successful exploitation is possible. The other vulnerability that has been previously disclosed was CVE-2025-21377, an NTLM hash disclosure spoofing vulnerability. It is also rated important severity and has a CVSS base score of 6.5, but was assessed as more likely to be exploited and requiring minimal interaction by a potential victim.

Other notable vulnerabilities being patched by Microsoft this Tuesday include remote code executions (RCEs) in the Lightweight Directory Access Protocol (LDAP) (CVE-2025-21376) and SharePoint Server (CVE-2025-21400). The LDAP RCE was evaluated as critical severity, given a CVSS base score of 8.1, and assessed as more likely to be exploited. Successful exploitation of CVE-2025-21376 requires an attacker to send requests to a vulnerable LDAP server and winning a race condition to cause a buffer overflow. CVE-2025-21400, with an important severity rating and 8.0 base score, was also assessed as more likely to be exploited, but requires an attacker authenticated with at least Site Owner permissions.