In a recent development, Microsoft has rolled out security updates to address a total of 56 vulnerabilities in its Windows operating systems and supported software. This batch includes fixes for two zero-day flaws that are currently being actively exploited by cybercriminals.
One of the critical vulnerabilities that received a patch is a buffer overflow vulnerability known as CVE-2025-21418. Microsoft has highlighted the importance of this update for enterprises as it is currently being exploited, has low attack complexity, and does not require any user interaction. Tenable’s senior staff research engineer, Satnam Narang, pointed out that there have been multiple elevation of privilege vulnerabilities in this particular Windows component since 2022, with one in 2024 being exploited by the North Korean APT group known as Lazarus Group.
Another zero-day vulnerability, CVE-2025-21391, was also addressed in this update. This elevation of privilege vulnerability in Windows Storage could potentially be used to delete files on a targeted system. Microsoft’s advisory on this bug indicates that no user interaction is needed, and the attack complexity is low. Adam Barnett, lead software engineer at Rapid7, cautioned against underestimating the impact of such vulnerabilities, as they could lead to more severe consequences beyond data loss or denial of service.
Additionally, a vulnerability that was publicly disclosed earlier, CVE-2025-21377, was also patched in this update. This weakness could allow an attacker to elevate their privileges on a vulnerable Windows system and steal NTLMv2 hashes, enabling them to authenticate as the targeted user without logging in. Microsoft noted that minimal user interaction with a malicious file is required to exploit this vulnerability.
The SANS Internet Storm Center has compiled a list of all the Microsoft patches released in this update, categorized by severity. Windows enterprise administrators are advised to keep a close watch on any potential issues with these patches via websites like askwoody.com.
In a separate software update-related news, Apple has released iOS 18.3.1 to address a zero-day vulnerability (CVE-2025-24200) that is being exploited in attacks. Adobe has also issued security updates to fix 45 vulnerabilities across various software products.
Furthermore, Google Chrome is rolling out an update that will trigger updates for Chromium-based browsers, including Microsoft Edge. Users are advised to stay vigilant for Chrome and Edge updates as they are expected to be released in the coming days.
On a different note, Microsoft’s flagship Copilot artificial intelligence feature is now being bundled with Windows software as part of Microsoft’s efforts to offset the costs of AI investments. Existing Office 365 users have the option to switch to a more affordable AI-free subscription called “Microsoft 365 Classic,” but some customers may not be offered this option until they attempt to cancel their existing subscription.
Overall, these security updates and software developments underscore the ongoing efforts of technology companies to address vulnerabilities and enhance the security of their products in the face of evolving cyber threats.