News
Microsoft Targets 4 Zero-Day Flaws for February
Microsoft's monthly security update arrived Tuesday with a more-manageable 56 CVes for the month after January's massive security update. While the number of fixed issues is less than half of last month's total, IT will still need to work quickly to address the four zero-day vulnerabilities fixed in the patch, two of which are under active exploit.
The first actively exploited vulnerability, CVE-2025-21418, addresses an issue in the Windows Ancillary Function Driver for WinSock. While the nature of the flaw has not been disclosed, active attacks have been spotted, with attackers gaining SYSTEM privileges on a targeted machine.
It's a similar situation for CVE-2025-21391, an elevation of privilege flaw in Windows Storage. Attacks are ongoing, and the flaw provides attackers with limited access to a machine. "This vulnerability does not allow disclosure of any confidential information, but could allow an attacker to delete data that could include data that results in the service being unavailable," said Microsoft.
While both are rated only "important" in severity, they still should be treated as critical, due to the active exploitation. Providing insight into both, Satnam Narang, senior staff research engineer at Tenable, explained that "both flaws appear to be post-compromise related, which means an attacker would need to obtain local access to a vulnerable system through other means, like exploiting another vulnerability for initial access, some type of social engineering, or compromised/weak credentials."
The remaining two zero-day flaws are issues that have been publicly disclosed, but have not yet been seen in active exploit in the wild. First up is CVE-2025-21194, a security features bypass flaw in Windows Surface. According to Microsoft, if a successful exploitation occurs, the secure kernel and hypervisor on Windows Surface devices could be compromised if the Unified Extensible Firmware Interface (UEFI) host machine is compromised. While details on this flaw are out there, actually exploiting it would involve many steps including manipulating "specific application behavior, user actions, manipulation of parameters passed to a function, and impersonation of an integrity level token."
The final publicly disclosed zero-day involves a spoofing flaw in the NTLM hash disclosure (CVE-2025-21377). If successfully exploited, an attacker can gain access to a user's NTLMv2 hash. Microsoft said that far less effort than the Surface exploit would be necessary to pull an attack off, so expedient patching is recommended before the attacks begin to show up.
Once those are handled, it's recommended that for users that do not have automatic patching activated move on to this month's three CVEs rated "critical":
- CVE-2025-21379: Remote code execution flaw in the DHCP Client Service.
- CVE-2025-21177: Elevation of privilege flaw in Microsoft Dynamics 365.
- CVE-2025-21376: Remote code execution flaw in Windows Lightweight Directory Access Protocol (LDAP).
A full list of this month's bulletins can be found here.