Microsoft’s February Patch Tuesday: 53 Fixes, Including Weaponized Threats
After January’s record-breaking Patch Tuesday release, February’s update is significantly smaller, addressing 53 vulnerabilities. However, size doesn’t always equate to impact as this month’s fixes include two actively exploited vulnerabilities and two publicly disclosed ones.
The release consists of:
- 2 Critical and 51 Important fixes
- Coverage across Windows, Windows Components, Hyper-V, Azure, Office, Visual Studio, RDS, Android, and iOS
- A combined CVSS score of 398.3, with an average severity of 7.5 – higher than last month’s
Robert Brown, Senior Director of Professional Services at Absolute, emphasizes the importance of prioritization in vulnerability management. He warns that some of these threats could act as jump points for attackers, making swift action crucial.
Patch Tuesday Recap: Top 3 Vulnerabilities You Need to Know
As always, Patch Tuesday brings critical updates and security fixes to keep your systems protected. Here’s a breakdown of the most significant issues and why you should prioritize addressing them immediately.
- CVE-2025-21418 – WinSock Privilege Escalation
🚨 Weaponized, actively exploited
This vulnerability in the Windows Ancillary Function Driver allows attackers to gain SYSTEM privileges, enabling them to take full control of a compromised machine.
🔹 Severity: Important | CVSS Score: 7.8
🔹 Attack Vector: Local | Privileges Required: Low
🔹 User Interaction: None | Complexity: Low
Why it matters: With active exploitation in the wild, this flaw is a prime target for attackers aiming to escalate privileges and bypass security measures.
- CVE-2025-21391 – Windows Storage Privilege Escalation
🚨 Weaponized, actively exploited
Attackers can delete targeted files, potentially leading to data loss and system instability.
🔹 Severity: Important | CVSS Score: 7.1
🔹 Attack Vector: Local | Privileges Required: Low
🔹 User Interaction: None | Complexity: Low
Why it matters: While this exploit doesn’t offer full system control, data corruption or deletion can disrupt operations significantly.
- CVE-2025-21194 – Surface Security Feature Bypass
⚠ Publicly disclosed
A Hypervisor vulnerability affecting UEFI-based systems, requiring a system reboot for exploitation.
🔹 Severity: Important | CVSS Score: 7.1
🔹 Attack Vector: Adjacent | Privileges Required: None
🔹 User Interaction: Required | Complexity: High
Why it matters: Attackers targeting this flaw could compromise the secure kernel and hypervisor, making it a serious concern for virtualization security.
- CVE-2025-21377 – NTLM Hash Disclosure
⚠ Publicly disclosed, high exploitation risk
This flaw allows attackers to capture NTLMv2 hashes, which can be used for authentication attacks and credential theft.
🔹 Severity: Important | CVSS Score: 6.5
🔹 Attack Vector: Network | Privileges Required: None
🔹 User Interaction: Required
Why it matters: Credential theft is a key tactic in phishing campaigns and lateral movement attacks, making this vulnerability a priority for organizations relying on NTLM authentication.
- CVE-2025-21198 – HPC Pack Remote Code Execution
🔥 Serious risk, high CVSS score (9.0)
This vulnerability enables attackers to execute remote code on a targeted head node using specially crafted HTTPS requests.
🔹 Severity: Important | CVSS Score: 9.0
🔹 Attack Vector: Adjacent | Privileges Required: Low
🔹 User Interaction: None
Why it matters: Remote code execution (RCE) vulnerabilities pose significant risks to infrastructure, especially in environments with exposed HPC services.
Final Thoughts: Act Now to Stay Secure
February’s Patch Tuesday highlights the ongoing risks of unpatched vulnerabilities, especially as attackers leverage AI and automation to identify new exploits faster than ever before.
- Prioritize patches for actively exploited and publicly disclosed vulnerabilities.
- Ensure your security team is equipped to respond quickly.
- Consider leveraging automation and vulnerability management solutions to stay ahead of threats.
Need help implementing these patches or optimizing your cybersecurity strategy? Our team is here to assist, reach out today.
Until next time, Happy Patching!
| Reference | Description | Vendor Severity | CVSS Score | Weaponised | Publicly Aware | Countermeasure | Additional Details | Exploitability Assessment | Impact |
| CVE-2025-21418 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Important | 7.8 | Yes | No | No | An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. | Exploitation Detected | Elevation of Privilege |
| CVE-2025-21391 | Windows Storage Elevation of Privilege Vulnerability | Important | 7.1 | Yes | No | No | An attacker would only be able to delete targeted files on a system. | Exploitation Detected | Elevation of Privilege |
| CVE-2025-21194 | Microsoft Surface Security Feature Bypass Vulnerability | Important | 7.1 | No | Yes | No | This Hypervisor vulnerability relates to Virtual Machines within a Unified Extensible Firmware Interface (UEFI) host machine. On some specific hardware it might be possible to bypass the UEFI, which could lead to the compromise of the hypervisor and the secure kernel. Successful exploitation of this vulnerability by an attacker requires a user to first reboot their machine. |
Exploitation Less Likely | Security Feature Bypass |
| CVE-2025-21377 | NTLM Hash Disclosure Spoofing Vulnerability | Important | 6.5 | No | Yes | No | This vulnerability discloses a user’s NTLMv2 hash to the attacker who could use this to authenticate as the user. While Microsoft has announced retirement of the Internet Explorer 11 application on certain platforms and the Microsoft Edge Legacy application is deprecated, the underlying MSHTML, EdgeHTML, and scripting platforms are still supported. The MSHTML platform is used by Internet Explorer mode in Microsoft Edge as well as other applications through WebBrowser control. |
Exploitation More Likely | Spoofing |
| CVE-2025-21198 | Microsoft High Performance Compute (HPC) Pack Remote Code Execution Vulnerability | Important | 9.0 | No | No | No | Scope = Changed, Jump Point = True An attacker could exploit this vulnerability by sending a specially crafted HTTPS request to the targeted head node or Linux node granting them the ability to perform RCE on other clusters or nodes connected to the targeted head node. |
Exploitation Less Likely | Remote Code Execution |
| CVE-2025-21190 | Windows Telephony Service Remote Code Execution Vulnerability | Important | 8.8 | No | No | No | Exploitation Less Likely | Remote Code Execution | |
| CVE-2025-21200 | Windows Telephony Service Remote Code Execution Vulnerability | Important | 8.8 | No | No | No | Exploitation Less Likely | Remote Code Execution | |
| CVE-2025-21201 | Windows Telephony Server Remote Code Execution Vulnerability | Important | 8.8 | No | No | No | Exploitation Less Likely | Remote Code Execution | |
| CVE-2025-21208 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | Important | 8.8 | No | No | No | Exploitation Less Likely | Remote Code Execution | |
| CVE-2025-21368 | Microsoft Digest Authentication Remote Code Execution Vulnerability | Important | 8.8 | No | No | No | Exploitation Less Likely | Remote Code Execution | |
| CVE-2025-21369 | Microsoft Digest Authentication Remote Code Execution Vulnerability | Important | 8.8 | No | No | No | Exploitation Less Likely | Remote Code Execution | |
| CVE-2025-21406 | Windows Telephony Service Remote Code Execution Vulnerability | Important | 8.8 | No | No | No | Exploitation Less Likely | Remote Code Execution | |
| CVE-2025-21407 | Windows Telephony Service Remote Code Execution Vulnerability | Important | 8.8 | No | No | No | Exploitation Less Likely | Remote Code Execution | |
| CVE-2025-21410 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | Important | 8.8 | No | No | No | Exploitation Less Likely | Remote Code Execution | |
| CVE-2025-21371 | Windows Telephony Service Remote Code Execution Vulnerability | Important | 8.8 | No | No | No | This attack requires a client to connect to a malicious server, and that could allow the attacker to gain code execution on the client. | Exploitation Less Likely | Remote Code Execution |
| CVE-2025-21376 | Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability | Critical | 8.1 | No | No | No | An unauthenticated attacker could send a specially crafted request to a vulnerable LDAP server. Successful exploitation could result in a buffer overflow which could be leveraged to achieve remote code execution. | Exploitation More Likely | Remote Code Execution |
| CVE-2025-21400 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Important | 8.0 | No | No | No | In a network-based attack, an authenticated attacker, as at least a Site Owner, could write arbitrary code to inject and execute code remotely on the SharePoint Server. | Exploitation More Likely | Remote Code Execution |
| CVE-2025-21322 | Microsoft PC Manager Elevation of Privilege Vulnerability | Important | 7.8 | No | No | No | An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. | Exploitation Less Likely | Elevation of Privilege |
| CVE-2025-21358 | Windows Core Messaging Elevation of Privileges Vulnerability | Important | 7.8 | No | No | No | An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. | Exploitation More Likely | Elevation of Privilege |
| CVE-2025-21359 | Windows Kernel Security Feature Bypass Vulnerability | Important | 7.8 | No | No | No | An authenticated standard user is able to bypass user access control (UAC) promt. | Exploitation Less Likely | Security Feature Bypass |
| CVE-2025-21367 | Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability | Important | 7.8 | No | No | No | An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. | Exploitation More Likely | Elevation of Privilege |
| CVE-2025-21375 | Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability | Important | 7.8 | No | No | No | An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. | Exploitation Less Likely | Elevation of Privilege |
| CVE-2025-21381 | Microsoft Excel Remote Code Execution Vulnerability | Important | 7.8 | No | No | No | The Preview Pane is an attack vector. | Exploitation Less Likely | Remote Code Execution |
| CVE-2025-21383 | Microsoft Excel Information Disclosure Vulnerability | Important | 7.8 | No | No | No | An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory. | Exploitation Less Likely | Information Disclosure |
| CVE-2025-21386 | Microsoft Excel Remote Code Execution Vulnerability | Important | 7.8 | No | No | No | The Preview Pane is an attack vector. | Exploitation Less Likely | Remote Code Execution |
| CVE-2025-21387 | Microsoft Excel Remote Code Execution Vulnerability | Important | 7.8 | No | No | No | The Preview Pane is an attack vector. | Exploitation Less Likely | Remote Code Execution |
| CVE-2025-21390 | Microsoft Excel Remote Code Execution Vulnerability | Important | 7.8 | No | No | No | The Preview Pane is an attack vector. | Exploitation Less Likely | Remote Code Execution |
| CVE-2025-21392 | Microsoft Office Remote Code Execution Vulnerability | Important | 7.8 | No | No | No | The Preview Pane is not an attack vector. | Exploitation Less Likely | Remote Code Execution |
| CVE-2025-21394 | Microsoft Excel Remote Code Execution Vulnerability | Important | 7.8 | No | No | No | The Preview Pane is an attack vector. | Exploitation Less Likely | Remote Code Execution |
| CVE-2025-21397 | Microsoft Office Remote Code Execution Vulnerability | Important | 7.8 | No | No | No | The Preview Pane is not an attack vector. | Exploitation Less Likely | Remote Code Execution |
| CVE-2025-21420 | Windows Disk Cleanup Tool Elevation of Privilege Vulnerability | Important | 7.8 | No | No | No | An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. | Exploitation More Likely | Elevation of Privilege |
| CVE-2025-21373 | Windows Installer Elevation of Privilege Vulnerability | Important | 7.8 | No | No | No | An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. | Exploitation Less Likely | Elevation of Privilege |
| CVE-2025-21181 | Microsoft Message Queuing (MSMQ) Denial of Service Vulnerability | Important | 7.5 | No | No | No | Exploitation Less Likely | Denial of Service | |
| CVE-2025-21351 | Windows Active Directory Domain Services API Denial of Service Vulnerability | Important | 7.5 | No | No | No | Exploitation Less Likely | Denial of Service | |
| CVE-2025-21182 | Windows Resilient File System (ReFS) Deduplication Service Elevation of Privilege Vulnerability | Important | 7.4 | No | No | No | An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. | Exploitation Less Likely | Elevation of Privilege |
| CVE-2025-21183 | Windows Resilient File System (ReFS) Deduplication Service Elevation of Privilege Vulnerability | Important | 7.4 | No | No | No | An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. | Exploitation Less Likely | Elevation of Privilege |
| CVE-2025-21206 | Visual Studio Installer Elevation of Privilege Vulnerability | Important | 7.3 | No | No | No | An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. | Exploitation Less Likely | Elevation of Privilege |
| CVE-2025-24039 | Visual Studio Code Elevation of Privilege Vulnerability | Important | 7.3 | No | No | No | Exploitation Less Likely | Elevation of Privilege | |
| CVE-2025-24042 | Visual Studio Code JS Debug Extension Elevation of Privilege Vulnerability | Important | 7.3 | No | No | No | The attacker would gain the rights of the user that is running the affected application. | Exploitation Less Likely | Elevation of Privilege |
| CVE-2025-21379 | DHCP Client Service Remote Code Execution Vulnerability | Critical | 7.1 | No | No | No | Exploitation Less Likely | Remote Code Execution | |
| CVE-2025-21419 | Windows Setup Files Cleanup Elevation of Privilege Vulnerability | Important | 7.1 | No | No | No | An attacker would only be able to delete targeted files on a system. | Exploitation More Likely | Elevation of Privilege |
| CVE-2025-21184 | Windows Core Messaging Elevation of Privileges Vulnerability | Important | 7.0 | No | No | No | An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. | Exploitation More Likely | Elevation of Privilege |
| CVE-2025-21414 | Windows Core Messaging Elevation of Privileges Vulnerability | Important | 7.0 | No | No | No | An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. | Exploitation More Likely | Elevation of Privilege |
| CVE-2025-24036 | Microsoft AutoUpdate (MAU) Elevation of Privilege Vulnerability | Important | 7.0 | No | No | No | Exploitation Less Likely | Elevation of Privilege | |
| CVE-2025-21349 | Windows Remote Desktop Configuration Service Tampering Vulnerability | Important | 6.8 | No | No | No | Exploitation Less Likely | Tampering | |
| CVE-2025-21212 | Internet Connection Sharing (ICS) Denial of Service Vulnerability | Important | 6.5 | No | No | No | Exploitation Less Likely | Denial of Service | |
| CVE-2025-21216 | Internet Connection Sharing (ICS) Denial of Service Vulnerability | Important | 6.5 | No | No | No | Exploitation Less Likely | Denial of Service | |
| CVE-2025-21254 | Internet Connection Sharing (ICS) Denial of Service Vulnerability | Important | 6.5 | No | No | No | Exploitation Less Likely | Denial of Service | |
| CVE-2025-21352 | Internet Connection Sharing (ICS) Denial of Service Vulnerability | Important | 6.5 | No | No | No | An attacker can send specially crafted packets which could affect availability of the service and result in Denial of Service (DoS). | Exploitation Less Likely | Denial of Service |
| CVE-2025-21347 | Windows Deployment Services Denial of Service Vulnerability | Important | 6.0 | No | No | No | An attacker who successfully exploits this vulnerability cannot access files but can overwrite their contents and potentially cause the service to become unavailable. | Exploitation Less Likely | Denial of Service |
| CVE-2025-21350 | Windows Kerberos Denial of Service Vulnerability | Important | 5.9 | No | No | No | Exploitation Less Likely | Denial of Service | |
| CVE-2025-21179 | DHCP Client Service Denial of Service Vulnerability | Important | 4.8 | No | No | No | Exploitation Less Likely | Denial of Service | |
| CVE-2025-21337 | Windows NTFS Elevation of Privilege Vulnerability | Important | 3.3 | No | No | No | An attacker would only be able to list folder contents and not gain system privileges. | Exploitation Less Likely | Elevation of Privilege |
