On February 13, 2025, Microsoft released a set of security patches addressing 63 vulnerabilities across its software products. These flaws include two that are actively being exploited in the wild. Out of the 63 vulnerabilities, three are classified as Critical, 57 as Important, one as Moderate, and two as Low in severity.
This update builds on last month’s Patch Tuesday, which already saw 23 flaws fixed in Microsoft’s Chromium-based Edge browser. Notably, the update highlights the importance of addressing these vulnerabilities promptly to protect systems from active exploitation.
Actively Exploited Vulnerabilities
Among the most urgent issues addressed are CVE-2025-21391 and CVE-2025-21418, both of which are being actively exploited. CVE-2025-21391 involves a Windows Storage Elevation of Privilege vulnerability (CVSS score: 7.1), which could allow attackers to delete critical files, potentially causing service disruptions.
While it doesn’t lead to data leakage, its exploitation could hinder recovery efforts and erase key forensic evidence. CVE-2025-21418, with a higher CVSS score of 7.8, targets a privilege escalation vulnerability in the Windows Ancillary Function Driver for WinSock (AFD.sys), allowing attackers to gain SYSTEM-level privileges.
The CVE-2025-21418 flaw is particularly notable because it involves a native Windows driver vulnerability, a tactic that has been used in sophisticated attacks. A similar flaw in the same component was previously exploited by the Lazarus Group, a cybercrime organization linked to North Korea.
These types of attack chains are increasingly concerning as they bypass traditional methods like Bring Your Own Vulnerable Driver (BYOVD) attacks. Though it is not yet clear if this vulnerability is connected to Lazarus Group activities, both flaws have been added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities catalog, requiring federal agencies to patch them by March 4, 2025.
High-Risk Vulnerabilities and Remote Code Execution
The most severe flaw in the February update is CVE-2025-21198, a Remote Code Execution (RCE) vulnerability in the High Performance Compute (HPC) Pack (CVSS score: 9.0). This flaw allows attackers to send specially crafted HTTPS requests to exploit the vulnerability, leading to remote code execution across nodes in the affected clusters.
Another critical RCE vulnerability, CVE-2025-21376, affects the Windows Lightweight Directory Access Protocol (LDAP), with a CVSS score of 8.1. This vulnerability could allow attackers to execute arbitrary code by exploiting a race condition, potentially enabling lateral movement, privilege escalation, and network breaches in enterprise environments.
In addition to the aforementioned flaws, the February update also addresses an NTLMv2 hash disclosure vulnerability (CVE-2025-21377, CVSS score: 6.5), which could allow attackers to authenticate as the targeted user. Beyond Microsoft, several other vendors have also rolled out security updates, including Adobe, Apple, Amazon Web Services, Intel, Google, Cisco, and numerous others. These patches aim to rectify vulnerabilities across a wide range of software, from operating systems to cloud services and applications, further emphasizing the importance of regular patching across the tech industry.