Microsoft’s Patch Tuesday for February 2025 fixes four zero-day vulnerabilities, including two under active attack, plus another eight flaws judged to be at high risk of attack.
In all, the Patch Tuesday February 2025 release note lists 63 Microsoft CVEs and four non-Microsoft CVEs, three of which are for Chromium-based Microsoft Edge.
The highest-rated vulnerability, CVE-2025-21198, a 9.0-severity Microsoft High Performance Compute (HPC) Pack Remote Code Execution vulnerability, was judged to be at lower risk for exploitation because it requires network access.
After January’s record 159 vulnerabilities, which included eight zero days and another 17 vulnerabilities at risk of exploitation, the February 2025 Patch Tuesday list seemed like something of a break in comparison.
Microsoft Zero-Days Under Attack
The actively exploited vulnerabilities include CVE-2025-21391, a Windows Storage Elevation of Privilege Vulnerability, and CVE-2025-21418, Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability.
CVE-2025-21391 is a 7.1-rated Link Following vulnerability that doesn’t allow disclosure of confidential information, but Microsoft said an attacker could delete data that that results in the service being unavailable. No further information was released on the vulnerability.
CVE-2025-21418 is a 7.8-severity Heap-based Buffer Overflow vulnerability that could allow an attacker to gain system privileges. It was disclosed anonymously.
The other zero days revealed by Microsoft include CVE-2025-21194, a 7.1-rated Microsoft Surface Security Feature Bypass vulnerability that requires multiple conditions for exploitation; and CVE-2025-21377, a 6.5-severity NTLM Hash Disclosure Spoofing vulnerability.
The Surface vulnerability was rated as less likely to be exploited, while the NTLM flaw was rated “Exploitation More Likely.”
Patch Tuesday February 2025 Vulnerabilities at High Risk of Attack
In addition to the three zero days actively under attack or at risk of attack, an additional eight vulnerabilities were rated as “Exploitation More Likely.” The eight range in severity from 7.0 to 8.1 on the CVSS v3.1 scoring system. They include:
- CVE-2025-21419, a Windows Setup Files Cleanup Elevation of Privilege vulnerability
- CVE-2025-21420, a Windows Disk Cleanup Tool Elevation of Privilege vulnerability
- CVE-2025-21400, an 8.0-rated Microsoft SharePoint Server Remote Code Execution vulnerability
- CVE-2025-21414, CVE-2025-21184, and CVE-2025-21358, all of which are Windows Core Messaging Elevation of Privileges vulnerabilities that could allow an attacker to gain system privileges
- CVE-2025-21367, a Windows Win32 Kernel Subsystem Elevation of Privilege vulnerability
- CVE-2025-21376, an 8.1-rated Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution vulnerability.
Other Vendors Issuing Patch Tuesday Updates
Patch Tuesday isn’t just for Microsoft, of course, as several other vendors also released updates. A partial list includes:
