Today is Microsoft’s February 2025 Patch Tuesday, which includes security updates for 55 flaws, including four zero-day vulnerabilities, with two actively exploited in attacks.
This Patch Tuesday also fixes three “Critical” vulnerabilities, all remote code execution vulnerabilities.
The number of bugs in each vulnerability category is listed below:
- 19 Elevation of Privilege Vulnerabilities
- 2 Security Feature Bypass Vulnerabilities
- 22 Remote Code Execution Vulnerabilities
- 1 Information Disclosure Vulnerabilities
- 9 Denial of Service Vulnerabilities
- 3 Spoofing Vulnerabilities
The above numbers do not include a critical Microsoft Dynamics 365 Sales elevation of privileges flaw and 10 Microsoft Edge vulnerabilities fixed on February 6.
To learn more about the non-security updates released today, you can review our dedicated articles on the Windows 11 KB5051987 & KB5051989 cumulative updates and the Windows 10 KB5051974 update.
Two actively exploited zero-day disclosed
This month’s Patch Tuesday fixes two actively exploited and two publicly exposed zero-day vulnerabilities.
Microsoft classifies a zero-day flaw as one that is publicly disclosed or actively exploited while no official fix is available.
The actively exploited zero-day vulnerability in today’s updates are:
CVE-2025-21391 – Windows Storage Elevation of Privilege Vulnerability
Microsoft has fixed an actively exploited elevation of privileges vulnerability that can be used to delete files.
“An attacker would only be able to delete targeted files on a system,” reads Microsoft’s advisory.
“This vulnerability does not allow disclosure of any confidential information, but could allow an attacker to delete data that could include data that results in the service being unavailable,” continued Microsoft.
No information has been released about how this flaw was exploited in attacks and who disclosed it.
CVE-2025-21418 – Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
The second actively exploited vulnerability allows threat actors to gain SYSTEM privileges in Windows.
It is unknown how it was used in attacks, and Microsoft says this flaw was disclosed anonymously.
The publicly disclosed zero-days are:
CVE-2025-21194 – Microsoft Surface Security Feature Bypass Vulnerability
Microsoft says that this flaw is a hypervisor vulnerability that allows attacks to bypass UEFI and compromise the secure kernel.
“This Hypervisor vulnerability relates to Virtual Machines within a Unified Extensible Firmware Interface (UEFI) host machine,” explains Microsoft’s advisory.
“On some specific hardware it might be possible to bypass the UEFI, which could lead to the compromise of the hypervisor and the secure kernel.”
Microsoft says that Francisco Falcón and Iván Arce of Quarkslab discovered the vulnerability.
While Microsoft did not share many details about the flaw, it is likely connected to the PixieFail flaws disclosed by the researchers last month.
PixieFail is a set of nine vulnerabilities that impact the IPv6 network protocol stack of Tianocore’s EDK II, which is used by Microsoft Surface and the company’s hypervisor products.
CVE-2025-21377 – NTLM Hash Disclosure Spoofing Vulnerability
Microsoft fixed a publicly disclosed bug that exposes a Window user’s NTLM hashes, allowing a remote attacker to potentially log in as the user.
“Minimal interaction with a malicious file by a user such as selecting (single-click), inspecting (right-click), or performing an action other than opening or executing the file could trigger this vulnerability.” explains Microsoft’s advisory.
While Microsoft has not shared many details about the flaw, it likely acts like other NTLM hash disclosure flaws, where simply interacting with a file rather than opening it could cause Windows to remotely connect to a remote share. When doing so, an NTLM negotiation passes the user’s NTLM hash to the remote server, which the attacker can collect.
These NTLM hashes can then be cracked to get the plain-text password or used in pass-the-hash attacks.
Microsoft says this flaw was discovered by Owen Cheung, Ivan Sheung, and Vincent Yau with Cathay Pacific, Yorick Koster of Securify B.V., and Blaz Satler with 0patch by ACROS Security.
Recent updates from other companies
Other vendors who released updates or advisories in February 2025 include:
- Adobe released security updates for numerous products, including Adobe Photoshop, Substance3D, Illustrator, and Animate.
- AMD released mitigations and firmware updates to address a vulnerability that can be exploited to load malicious CPU microcode.
- Apple released a security update for a zero-day exploited in ‘extremely sophisticated’ attacks.
- Cisco released security updates for multiple products, including Cisco IOS, ISE, NX-OS, and Identity Services.
- Google fixed an actively exploited zero-day flaw in Android Kernel’s USB Video Class driver.
- Ivanti released security updates for Connect Secure, Neurons for MDM, and Cloud Service Application.
- Fortinet released security updates for numerous products, including FortiManager, FortiOS, FortiAnalyzer, and FortiSwitchManager.
- Netgear fixed two critical vulnerabilities affecting multiple WiFi router models.
- SAP releases security updates for multiple products.
The February 2025 Patch Tuesday Security Updates
Below is the complete list of resolved vulnerabilities in the February 2025 Patch Tuesday updates.
To access the full description of each vulnerability and the systems it affects, you can view the full report here.
| Tag | CVE ID | CVE Title | Severity |
|---|---|---|---|
| Active Directory Domain Services | CVE-2025-21351 | Windows Active Directory Domain Services API Denial of Service Vulnerability | Important |
| Azure Network Watcher | CVE-2025-21188 | Azure Network Watcher VM Extension Elevation of Privilege Vulnerability | Important |
| Microsoft AutoUpdate (MAU) | CVE-2025-24036 | Microsoft AutoUpdate (MAU) Elevation of Privilege Vulnerability | Important |
| Microsoft Digest Authentication | CVE-2025-21368 | Microsoft Digest Authentication Remote Code Execution Vulnerability | Important |
| Microsoft Digest Authentication | CVE-2025-21369 | Microsoft Digest Authentication Remote Code Execution Vulnerability | Important |
| Microsoft Dynamics 365 Sales | CVE-2025-21177 | Microsoft Dynamics 365 Sales Elevation of Privilege Vulnerability | Critical |
| Microsoft Edge (Chromium-based) | CVE-2025-21267 | Microsoft Edge (Chromium-based) Spoofing Vulnerability | Low |
| Microsoft Edge (Chromium-based) | CVE-2025-21279 | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | Important |
| Microsoft Edge (Chromium-based) | CVE-2025-21342 | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | Important |
| Microsoft Edge (Chromium-based) | CVE-2025-0445 | Chromium: CVE-2025-0445 Use after free in V8 | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2025-0451 | Chromium: CVE-2025-0451 Inappropriate implementation in Extensions API | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2025-0444 | Chromium: CVE-2025-0444 Use after free in Skia | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2025-21283 | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | Important |
| Microsoft Edge (Chromium-based) | CVE-2025-21404 | Microsoft Edge (Chromium-based) Spoofing Vulnerability | Low |
| Microsoft Edge (Chromium-based) | CVE-2025-21408 | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | Important |
| Microsoft Edge for iOS and Android | CVE-2025-21253 | Microsoft Edge for IOS and Android Spoofing Vulnerability | Moderate |
| Microsoft High Performance Compute Pack (HPC) Linux Node Agent | CVE-2025-21198 | Microsoft High Performance Compute (HPC) Pack Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2025-21392 | Microsoft Office Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2025-21397 | Microsoft Office Remote Code Execution Vulnerability | Important |
| Microsoft Office Excel | CVE-2025-21381 | Microsoft Excel Remote Code Execution Vulnerability | Critical |
| Microsoft Office Excel | CVE-2025-21394 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office Excel | CVE-2025-21383 | Microsoft Excel Information Disclosure Vulnerability | Important |
| Microsoft Office Excel | CVE-2025-21390 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office Excel | CVE-2025-21386 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office Excel | CVE-2025-21387 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2025-21400 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Important |
| Microsoft PC Manager | CVE-2025-21322 | Microsoft PC Manager Elevation of Privilege Vulnerability | Important |
| Microsoft Streaming Service | CVE-2025-21375 | Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability | Important |
| Microsoft Surface | CVE-2025-21194 | Microsoft Surface Security Feature Bypass Vulnerability | Important |
| Microsoft Windows | CVE-2025-21337 | Windows NTFS Elevation of Privilege Vulnerability | Important |
| Open Source Software | CVE-2023-32002 | HackerOne: CVE-2023-32002 Node.js `Module._load()` policy Remote Code Execution Vulnerability | Important |
| Outlook for Android | CVE-2025-21259 | Microsoft Outlook Spoofing Vulnerability | Important |
| Visual Studio | CVE-2025-21206 | Visual Studio Installer Elevation of Privilege Vulnerability | Important |
| Visual Studio Code | CVE-2025-24039 | Visual Studio Code Elevation of Privilege Vulnerability | Important |
| Visual Studio Code | CVE-2025-24042 | Visual Studio Code JS Debug Extension Elevation of Privilege Vulnerability | Important |
| Windows Ancillary Function Driver for WinSock | CVE-2025-21418 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Important |
| Windows CoreMessaging | CVE-2025-21358 | Windows Core Messaging Elevation of Privileges Vulnerability | Important |
| Windows CoreMessaging | CVE-2025-21184 | Windows Core Messaging Elevation of Privileges Vulnerability | Important |
| Windows DHCP Client | CVE-2025-21179 | DHCP Client Service Denial of Service Vulnerability | Important |
| Windows DHCP Server | CVE-2025-21379 | DHCP Client Service Remote Code Execution Vulnerability | Critical |
| Windows Disk Cleanup Tool | CVE-2025-21420 | Windows Disk Cleanup Tool Elevation of Privilege Vulnerability | Important |
| Windows DWM Core Library | CVE-2025-21414 | Windows Core Messaging Elevation of Privileges Vulnerability | Important |
| Windows Installer | CVE-2025-21373 | Windows Installer Elevation of Privilege Vulnerability | Important |
| Windows Internet Connection Sharing (ICS) | CVE-2025-21216 | Internet Connection Sharing (ICS) Denial of Service Vulnerability | Important |
| Windows Internet Connection Sharing (ICS) | CVE-2025-21212 | Internet Connection Sharing (ICS) Denial of Service Vulnerability | Important |
| Windows Internet Connection Sharing (ICS) | CVE-2025-21352 | Internet Connection Sharing (ICS) Denial of Service Vulnerability | Important |
| Windows Internet Connection Sharing (ICS) | CVE-2025-21254 | Internet Connection Sharing (ICS) Denial of Service Vulnerability | Important |
| Windows Kerberos | CVE-2025-21350 | Windows Kerberos Denial of Service Vulnerability | Important |
| Windows Kernel | CVE-2025-21359 | Windows Kernel Security Feature Bypass Vulnerability | Important |
| Windows LDAP – Lightweight Directory Access Protocol | CVE-2025-21376 | Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability | Critical |
| Windows Message Queuing | CVE-2025-21181 | Microsoft Message Queuing (MSMQ) Denial of Service Vulnerability | Important |
| Windows NTLM | CVE-2025-21377 | NTLM Hash Disclosure Spoofing Vulnerability | Important |
| Windows Remote Desktop Services | CVE-2025-21349 | Windows Remote Desktop Configuration Service Tampering Vulnerability | Important |
| Windows Resilient File System (ReFS) Deduplication Service | CVE-2025-21183 | Windows Resilient File System (ReFS) Deduplication Service Elevation of Privilege Vulnerability | Important |
| Windows Resilient File System (ReFS) Deduplication Service | CVE-2025-21182 | Windows Resilient File System (ReFS) Deduplication Service Elevation of Privilege Vulnerability | Important |
| Windows Routing and Remote Access Service (RRAS) | CVE-2025-21410 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | Important |
| Windows Routing and Remote Access Service (RRAS) | CVE-2025-21208 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | Important |
| Windows Setup Files Cleanup | CVE-2025-21419 | Windows Setup Files Cleanup Elevation of Privilege Vulnerability | Important |
| Windows Storage | CVE-2025-21391 | Windows Storage Elevation of Privilege Vulnerability | Important |
| Windows Telephony Server | CVE-2025-21201 | Windows Telephony Server Remote Code Execution Vulnerability | Important |
| Windows Telephony Service | CVE-2025-21407 | Windows Telephony Service Remote Code Execution Vulnerability | Important |
| Windows Telephony Service | CVE-2025-21406 | Windows Telephony Service Remote Code Execution Vulnerability | Important |
| Windows Telephony Service | CVE-2025-21200 | Windows Telephony Service Remote Code Execution Vulnerability | Important |
| Windows Telephony Service | CVE-2025-21371 | Windows Telephony Service Remote Code Execution Vulnerability | Important |
| Windows Telephony Service | CVE-2025-21190 | Windows Telephony Service Remote Code Execution Vulnerability | Important |
| Windows Update Stack | CVE-2025-21347 | Windows Deployment Services Denial of Service Vulnerability | Important |
| Windows Win32 Kernel Subsystem | CVE-2025-21367 | Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability | Important |
