Microsoft Addresses 55 Security Flaws in February 2025 Patch Tuesday
Today marks Microsoft’s February 2025 Patch Tuesday release, which includes security updates for a total of 55 identified flaws. Among these, four are classified as zero-day vulnerabilities, with two actively being used by threat actors in cyberattacks.
A Deep Dive into Microsoft’s Patch Tuesday
This patch release fixes three severe “Critical” vulnerabilities, all of which involve remote code execution. These critical issues can potentially allow adversaries to execute arbitrary code on affected systems without requiring user interaction, escalating the risk significantly.
The number of vulnerabilities addressed by category is as follows:
- 19 Elevation of Privilege Vulnerabilities
- 2 Security Feature Bypass Vulnerabilities
- 22 Remote Code Execution Vulnerabilities
- 1 Information Disclosure Vulnerability
- 9 Denial of Service Vulnerabilities
- 3 Spoofing Vulnerabilities
Notably, this count does not include a critical Microsoft Dynamics 365 Sales privilege escalation flaw and ten newly fixed Microsoft Edge vulnerabilities that were addressed the week before on February 6.
Two Actively Exploited Zero-Day Flaws Patched
This month, Microsoft tackled two actively exploited zero-day vulnerabilities. These critical flaws were in circulation before patches were officially available, making them particularly dangerous. Zero-day vulnerabilities are so-called because they are unknown to the software vendor and thus unpatched before they are discovered and publicly shared by hackers.
The first actively exploited zero-day flaw is CVE-2025-21391, which allows attackers to delete targeted files on a Windows system. Despite this capability, the vulnerability does not expose any confidentiality data, reducing the risk to information theft but still posing significant risks in terms of data availability and service interruption.
The second flaw, CVE-2025-21418, permits hackers to gain SYSTEM-level privileges in Windows. SYSTEM privileges provide the highest level of access on a system, enabling an attacker to run virtually any program and make changes to the system that affect other users.
Details on the specific methods used to exploit these vulnerabilities and their initial discovery have not been provided by Microsoft, highlighting the importance of timely patch application.
Publicly Disclosed Zero-Day Flaws
In addition to the actively exploited zero-days, Microsoft also addressed two flaws that had been publicly disclosed before the patches were released.
The first public zero-day flaw is CVE-2025-21194, a security feature bypass vulnerability affecting the Microsoft Surface hypervisor. This issue can allow attackers to circumvent UEFI and the secure kernel, potentially leading to more comprehensive system compromises.
Originally uncovered by cybersecurity researchers Francisco Falcón and Iván Arce from Quarkslab, this flaw is likely linked to the PixieFail vulnerabilities disclosed by the team in January. PixieFail is a series of vulnerabilities that impact the IPv6 network protocol stack used by Microsoft Surface and its hypervisor products.
The second public zero-day, CVE-2025-21377, involves the improper disclosure of NTLM hashes, enabling remote attackers to gain unauthorized access by leveraging these hashes for authentication.
Minimal user interaction could trigger this vulnerability. From simply selecting a malicious file to inspecting its properties, the potential for exploitation is wide. The vulnerability exposed NTLM hashes through interactions that did not involve opening or executing the file, allowing attackers to collect hashes via an NTLM negotiation with a remote server.
This flaw was discovered by a collaborative effort between multiple cybersecurity experts, including researchers from Cathay Pacific, Securify B.V., and ACROS Security.
Other Security Updates in February 2025
Aside from Microsoft’s substantial patch release, several other major vendors issued security updates and advisories in February:
- Adobe provided critical security updates for popular products such as Photoshop, Substance3D, Illustrator, and Animate, addressing multiple vulnerabilities that could lead to remote code execution and other severe issues.
- AMD issued mitigations and firmware updates to protect against the exploitation of a vulnerability that could allow the loading of malicious CPU microcode, a potential backdoor for hardware-level attacks.
- Apple also patched a zero-day vulnerability, which was exploited in highly sophisticated attacks targeting their systems.
- Cisco released security updates for various products, including IOS, ISE, NX-OS, and Identity Services, covering a range of denial of service, remote code execution, and elevation of privilege flaws.
- Google fixed an actively exploited zero-day in the USB Video Class driver of the Android Kernel, mitigating risks associated with video streaming over USB.
- Ivanti addressed critical vulnerabilities in Connect Secure, Neurons for MDM, and Cloud Service Application, which were being used in zero-day attacks.
- Fortinet updated its product line, covering issues in FortiManager, FortiOS, FortiAnalyzer, and FortiSwitchManager, addressing denial of service, remote code execution, and other security risks.
- Netgear released updates for critical vulnerabilities affecting multiple WiFi router models, aiming to prevent unauthorized access and data breaches.
- SAP issued security patches for various products, reinforcing its commitment to cybersecurity measures.
Detailed Vulnerability Breakdown
Below is a comprehensive list of all vulnerabilities resolved in Microsoft’s February 2025 Patch Tuesday. For additional details on each vulnerability, including specific version information and remediation steps, visit this page.
| Tag | CVE ID | CVE Title | Severity |
|---|---|---|---|
| Active Directory Domain Services | CVE-2025-21351 | Windows Active Directory Domain Services API Denial of Service Vulnerability | Important |
| Azure Network Watcher | CVE-2025-21188 | Azure Network Watcher VM Extension Elevation of Privilege Vulnerability | Important |
| Microsoft AutoUpdate (MAU) | CVE-2025-24036 | Microsoft AutoUpdate (MAU) Elevation of Privilege Vulnerability | Important |
| Microsoft Digest Authentication | CVE-2025-21368 | Microsoft Digest Authentication Remote Code Execution Vulnerability | Important |
| Microsoft Digest Authentication | CVE-2025-21369 | Microsoft Digest Authentication Remote Code Execution Vulnerability | Important |
| Microsoft Dynamics 365 Sales | CVE-2025-21177 | Microsoft Dynamics 365 Sales Elevation of Privilege Vulnerability | Critical |
| Microsoft Edge (Chromium-based) | CVE-2025-21267 | Microsoft Edge (Chromium-based) Spoofing Vulnerability | Low |
| Microsoft Edge (Chromium-based) | CVE-2025-21279 | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | Important |
| Microsoft Edge (Chromium-based) | CVE-2025-21342 | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | Important |
| Microsoft Edge (Chromium-based) | CVE-2025-0445 | Use after free in V8 | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2025-0451 | Inappropriate implementation in Extensions API | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2025-0444 | Use after free in Skia | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2025-21283 | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | Important |
| Microsoft Edge (Chromium-based) | CVE-2025-21404 | Microsoft Edge (Chromium-based) Spoofing Vulnerability | Low |
| Microsoft Edge (Chromium-based) | CVE-2025-21408 | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | Important |
| Microsoft Edge for iOS and Android | CVE-2025-21253 | Microsoft Edge for iOS and Android Spoofing Vulnerability | Moderate |
| Microsoft High Performance Compute Pack (HPC) Linux Node Agent | CVE-2025-21198 | Microsoft High Performance Compute Pack Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2025-21392 | Microsoft Office Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2025-21397 | Microsoft Office Remote Code Execution Vulnerability | Important |
| Microsoft Office Excel | CVE-2025-21381 | Microsoft Excel Remote Code Execution Vulnerability | Critical |
| Microsoft Office Excel | CVE-2025-21394 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office Excel | CVE-2025-21383 | Microsoft Excel Information Disclosure Vulnerability | Important |
| Microsoft Office Excel | CVE-2025-21390 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office Excel | CVE-2025-21386 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office Excel | CVE-2025-21387 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2025-21400 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Important |
| Microsoft PC Manager | CVE-2025-21322 | Microsoft PC Manager Elevation of Privilege Vulnerability | Important |
| Microsoft Streaming Service | CVE-2025-21375 | Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability | Important |
| Microsoft Surface | CVE-2025-21194 | Microsoft Surface Security Feature Bypass Vulnerability | Important |
| Microsoft Windows | CVE-2025-21337 | Windows NTFS Elevation of Privilege Vulnerability | Important |
| Open Source Software | CVE-2023-32002 | Node.js `Module._load()` policy Remote Code Execution Vulnerability | Important |
| Outlook for Android | CVE-2025-21259 | Microsoft Outlook Spoofing Vulnerability | Important |
| Visual Studio | CVE-2025-21206 | Visual Studio Installer Elevation of Privilege Vulnerability | Important |
| Visual Studio Code | CVE-2025-24039 | Visual Studio Code Elevation of Privilege Vulnerability | Important |
| Visual Studio Code | CVE-2025-24042 | Visual Studio Code JS Debug Extension Elevation of Privilege Vulnerability | Important |
| Windows Ancillary Function Driver for WinSock | CVE-2025-21418 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Important |
| Windows CoreMessaging | CVE-2025-21358 | Windows Core Messaging Elevation of Privileges Vulnerability | Important |
| Windows CoreMessaging | CVE-2025-21184 | Windows Core Messaging Elevation of Privileges Vulnerability | Important |
| Windows DHCP Client | CVE-2025-21179 | DHCP Client Service Denial of Service Vulnerability | Important |
| Windows DHCP Server | CVE-2025-21379 | Windows DHCP Server Remote Code Execution Vulnerability | Critical |
| Windows Disk Cleanup Tool | CVE-2025-21420 | Windows Disk Cleanup Tool Elevation of Privilege Vulnerability | Important |
| Windows DWM Core Library | CVE-2025-21414 | Windows DWM Core Library Elevation of Privileges Vulnerability | Important |
| Windows Installer | CVE-2025-21373 | Windows Installer Elevation of Privilege Vulnerability | Important |
| Windows Internet Connection Sharing (ICS) | CVE-2025-21216 | Windows Internet Connection Sharing Denial of Service Vulnerability | Important |
| Windows Internet Connection Sharing (ICS) | CVE-2025-21212 | Windows Internet Connection Sharing Denial of Service Vulnerability | Important |
| Windows Internet Connection Sharing (ICS) | CVE-2025-21352 | Windows Internet Connection Sharing Denial of Service Vulnerability | Important |
| Windows Internet Connection Sharing (ICS) | CVE-2025-21254 | Windows Internet Connection Sharing Denial of Service Vulnerability | Important |
| Windows Kerberos | CVE-2025-21350 | Windows Kerberos Denial of Service Vulnerability | Important |
| Windows Kernel | CVE-2025-21359 | Windows Kernel Security Feature Bypass Vulnerability | Important |
| Windows Lightweight Directory Access Protocol (LDAP) | CVE-2025-21376 | Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability | Critical |
| Windows Message Queuing | CVE-2025-21181 | Microsoft Message Queuing Denial of Service Vulnerability | Important |
| Windows NTLM | CVE-2025-21377 | NTLM Hash Disclosure Spoofing Vulnerability | Important |
| Windows Remote Desktop Services | CVE-2025-21349 | Windows Remote Desktop Configuration Service Tampering Vulnerability | Important |
| Windows Resilient File System (ReFS) Deduplication Service | CVE-2025-21183 | Windows Resilient File System Deduplication Service Elevation of Privilege Vulnerability | Important |
| Windows Resilient File System (ReFS) Deduplication Service | CVE-2025-21182 | Windows Resilient File System Deduplication Service Elevation of Privilege Vulnerability | Important |
| Windows Routing and Remote Access Service (RRAS) | CVE-2025-21410 | Windows Routing and Remote Access Service Remote Code Execution Vulnerability | Important |
| Windows Routing and Remote Access Service (RRAS) | CVE-2025-21208 | Windows Routing and Remote Access Service Remote Code Execution Vulnerability | Important |
| Windows Setup Files Cleanup | CVE-2025-21419 | Windows Setup Files Cleanup Elevation of Privilege Vulnerability | Important |
| Windows Storage | CVE-2025-21391 | Windows Storage Elevation of Privilege Vulnerability | Important |
| Windows Telephony Server | CVE-2025-21201 | Windows Telephony Server Remote Code Execution Vulnerability | Important |
| Windows Telephony Service | CVE-2025-21407 | Windows Telephony Service Remote Code Execution Vulnerability |
