Microsoft’s February 2025 Patch Tuesday fixes 56 vulnerabilities, two of which are actively exploited zero-days in Windows Server. CISOs and IT admins need to take immediate action to counter threats.
On February 11, 2025, Microsoft published its monthly security patches, fixing 56 vulnerabilities across its products. Two of them, however, are actively exploited zero-days in Windows Server environments that need to be fixed by Chief Information Security Officers (CISOs) and IT admins on a priority basis.
1. Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability (CVE-2025-21418):
It is a heap-based buffer overflow in the Windows Ancillary Function Driver (AFD), a vital component handling network-related functions. Its exploitation allows attackers to achieve SYSTEM-level privileges, leading to full control of the target system. Microsoft has seen active exploitation of this vulnerability in the wild. With its low attack complexity and zero user interaction requirements, fixing this vulnerability is of topmost priority.
2. Windows Storage Elevation of Privilege Vulnerability (CVE-2025-21391):
It is in the Windows Storage service and allows attackers to delete some files on a system lacking rightful ownership. Although it does not allow data disclosure, deletion of critical files leads to service disruption and system instability. Microsoft has seen active exploitation of this vulnerability in the wild. The attack is low-privilege and doesn’t require user interaction, making it a high-risk threat that needs to be fixed forthwith.
Other Vulnerabilities of Interest:
NTLM Hash Disclosure Spoofing Vulnerability (CVE-2025-21377): A publicly disclosed vulnerability, this is the accidental disclosure of NTLMv2 hashes, which would allow attackers to impersonate the target user. Minimal user interaction, e.g., selecting or right-clicking on a malicious file, can result in the exploit. Microsoft has determined exploitation as probable, and therefore the need for urgent patching is highlighted.
Microsoft Surface Security Feature Bypass Vulnerability (CVE-2025-21194): A security feature bypass vulnerability in various Microsoft Surface systems, this vulnerability would potentially allow attackers to seize control of the hypervisor and the secure kernel. Exploitation entails several steps, including being on the same network as the device and convincing the user to reboot. Complex, though, installing the updates provided is recommended in order to avoid potential risks.
Recommendations to CISOs and IT Administrators:
Immediate Patch Deployment: Deploy patches for CVE-2025-21418 and CVE-2025-21391 on all vulnerable Windows Server and desktop systems in order to avoid active exploitation threats.
Review and Update Security Policies: Update security policies to ensure systems are set up to receive and install security updates on a timely basis.
User Education: Educate users regarding the risks of engaging with unknown files and reporting suspicious activity.
Monitoring Systems: Regularly monitor systems for suspicious activity that could be indicative of exploitation attempts, such as the sudden deletion of files or unauthorized privilege escalation.
By taking these proactive measures, organizations can effectively eliminate the threat of exploitation and ensure the integrity and availability of systems.
