WARNING: MICROSOFT PATCH TUESDAY FEBRUARY 2025 PATCHES 55 VULNERABILITIES (3 CRITICAL, 52 IMPORTANT), INCLUDING 4 ZERO-DAYS. PATCH IMMEDIATELY!!

Image
Decorative image
Veröffentlicht : 12/02/2025

Reference:
Advisory #2024-31

Version:
1.0

Affected software:
Multiple Microsoft Products

Type:
Several types, ranging from Remote Code Execution to Privilege Escalation and Denial of Service

CVE/CVSS:
Microsoft patched 55 vulnerabilities in its February 2025 Patch Tuesday release, 3 rated as critical, 52 rated important. Including 4 zero-day vulnerabilities and 2 vulnerabilities that are actively exploited.Number of CVE by type:

  • 21 Remote Code Execution vulnerabilities
  • 19 Elevation of Privilege vulnerabilities
  • 1 Information Disclosure vulnerabilities
  • 2 Spoofing vulnerability
  • 9 Denial of Service vulnerabilities
  • 2 Security Feature Bypass vulnerabilities
  • 1 Tampering

Sources

Microsoft - https://msrc.microsoft.com/update-guide/releaseNote/2025-feb

Risks

Microsoft has released multiple patches for vulnerabilities covering a range of their products. These monthly releases are called “Patch Tuesday” and contain security fixes for Microsoft devices and software.

Microsoft’s February 2025 Patch Tuesday includes 55 vulnerabilities (3 critical and 52 important), for a wide range of Microsoft products, impacting Microsoft Server and Workstations. This Patch Tuesday includes 2 actively exploited vulnerabilities and 4 zero-days. Some other vulnerabilities are also more likely to be exploited soon, therefore urgent patching is advised.

Description

The CCB would like to point your attention to following vulnerabilities:

CVE-2025-21418: Windows Ancillary Function Driver for WinSock (Actively exploited zero-day)

Elevation of Privilege Vulnerability. A local, authenticated attacker who successfully exploits this flaw could gain SYSTEM privileges. Microsoft confirmed it was exploited in the wild as a zero-day but provided no details on how it was used, stating that the flaw was disclosed anonymously. There have been several vulnerabilities in the same component in the past and notably CVE-2024-38193 was previously exploited in the wild by the North Korean APT Lazarus Group to implant the FudModule rootkit. However it is not known if CVE-2025-21418 was also exploited by the Lazarus Group.

CVE-2025-21391: Windows Storage (Actively exploited zero-day)

Elevation of Privilege Vulnerability. By exploiting this vulnerability, an attacker can delete specific files on a system. While it does not grant access to confidential information, it can be leveraged to remove important data. This could disrupt system functionality and potentially lead to a denial of service, depending on the files targeted. The Microsoft advisory mentions that this vulnerability is actively exploited but provides no additional information about how it was exploited.


CVE-2025-21377: NTLM Hash Disclosure (zero-day)

Spoofing Vulnerability. This vulnerability exposes a user's NTLMv2 hash to an attacker, who could then use it to authenticate as that user, leading to a total loss of confidentiality. Exploitation is considered “More Likely” by Microsoft and requires user interaction. But even minimal actions such as selecting (single-click), inspecting (right-click), or performing an action other than opening or executing a malicious file could trigger the exploit. To be fully protected, users who install only “Security Only” updates must also apply Internet Explorer (IE) Cumulative updates, as noted in Microsoft's advisory.

CVE-2025-21194: Microsoft Surface (zero-day)

Security Feature Bypass Vulnerability. Successful attacks require an attacker to gain access to the same network and convince a user to reboot their device. The vulnerability, allows bypassing UEFI on certain hardware, potentially compromising the hypervisor and secure kernel. The attack complexity is high, as exploitation depends on specific application behavior, user actions, parameter manipulation, and token impersonation. This vulnerability is rated as “Exploitation Less Likely” by Microsoft due to its multiple exploitation requirements.

CVE-2025-21376: Lightweight Directory Access Protocol (LDAP) (Critical)

Remote Code Execution Vulnerability. Successful exploitation of this vulnerability could result in a buffer overflow which could be leveraged to achieve remote code execution. It requires an attacker to win a race condition and send crafted requests to a vulnerable LDAP server. This vulnerability is assessed as more likely to be exploited.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident.
 
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

The Register - https://www.theregister.com/2025/02/12/patch_tuesday_february_2025/

The Hacker News - https://thehackernews.com/2025/02/microsofts-patch-tuesday-fixes-63-flaws.html

CISA - https://www.cisa.gov/news-events/alerts/2025/02/11/cisa-adds-four-known-exploited-vulnerabilities-catalog

Tenable - https://www.tenable.com/blog/microsofts-february-2025-patch-tuesday-addresses-55-cves-cve-2025-21418-cve-2025-21391

Zero Day Initiative - https://www.zerodayinitiative.com/blog/2025/2/11/the-february-2025-security-update-review