In February 2025, Microsoft’s Patch Tuesday release addressed several critical vulnerabilities, including four zero-day vulnerabilities. Among the fixes were two actively exploited vulnerabilities and eight flaws deemed to be at high risk of attack.
The Patch Tuesday release for February 2025 included a total of 63 Microsoft CVEs and four non-Microsoft CVEs, three of which were related to Chromium-based Microsoft Edge. The most severe vulnerability addressed in this release was CVE-2025-21198, a 9.0-severity Microsoft High-Performance Compute (HPC) Pack Remote Code Execution vulnerability. Despite its high severity, this vulnerability was considered to be of lower risk for exploitation due to the requirement for network access.
Following a record-breaking Patch Tuesday in January 2025, which saw 159 vulnerabilities being addressed, including eight zero-day vulnerabilities, the February release provided some relief in comparison.
The actively exploited vulnerabilities addressed in the February release included CVE-2025-21391, a Windows Storage Elevation of Privilege Vulnerability, and CVE-2025-21418, a Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability. CVE-2025-21391 was rated at 7.1 in terms of severity and posed a risk of data deletion leading to service unavailability. On the other hand, CVE-2025-21418, with a severity rating of 7.8, could allow an attacker to gain system privileges.
Additional zero-day vulnerabilities addressed in the release were CVE-2025-21194, a Microsoft Surface Security Feature Bypass vulnerability, and CVE-2025-21377, an NTLM Hash Disclosure Spoofing vulnerability.
In addition to the zero-day vulnerabilities, the release also addressed eight vulnerabilities deemed to be at high risk of exploitation. These vulnerabilities ranged in severity from 7.0 to 8.1 and included issues such as Windows Setup Files Cleanup Elevation of Privilege, Windows Disk Cleanup Tool Elevation of Privilege, and Microsoft SharePoint Server Remote Code Execution.
Aside from Microsoft, several other vendors also issued updates as part of Patch Tuesday. These updates aimed to address various vulnerabilities across different products and services to enhance overall cybersecurity posture.
Overall, the February 2025 Patch Tuesday release from Microsoft addressed critical vulnerabilities that could have serious implications if left unpatched. With the increasing complexity of cyber threats, prompt patching and security updates are crucial to maintaining a secure digital environment.