The month-to-month report is comparatively light-weight, with some cellular updates or fixes which have already been carried out server-side and shouldn’t be a priority to admins, stated Tyler Reguly, affiliate director of safety R&D at international cybersecurity software program and providers supplier Fortra. One other vulnerability impacts solely Microsoft Floor {hardware}.
February replace patches two exploited vulnerabilities
The 2 exploited vulnerabilities are:
- CVE-2025-21391, a Home windows storage flaw that might let a menace actor delete recordsdata.
- CVE-2025-21418, a gap for privilege escalation starting in Home windows Ancillary Perform Driver for WinSock.
“Whereas each vulnerabilities are rated Necessary by Microsoft and have CVSS scores within the 7.x vary, I might deal with the Home windows AFD for WinSock vulnerability as essential in terms of patching, on condition that it has seen lively exploitation,” Reguly stated in an e-mail to TechRepublic.
Vulnerabilities have been discovered within the Home windows Ancillary Perform Driver for WinSock 9 instances since 2022, together with situations attributed to a North Korea-sponsored superior persistent menace group, Tenable senior workers analysis engineer Satnam Narang identified in a remark to KrebsonSecurity.
“The foundation trigger is inadequate validation of user-supplied enter, permitting low-privileged customers to ship specifically crafted knowledge that overflows the buffer,” wrote Mike Walters, president and co-founder of patch administration firm Action1 in a weblog put up.
No person interplay is required to patch both of the exploited vulnerabilities.
CVE-2025-21391, the zero-day Home windows storage flaw, stems from the best way Home windows resolves file paths and follows hyperlinks, Walters stated. File deletion is only the start of the issues it may trigger, because it may result in privilege escalation, undesirable entry to safety logs or configurations, malware injection, knowledge manipulation, or different assaults.
“With a CVSS rating of seven.1, the CVSS metrics define that this vulnerability doesn’t have an effect on confidentiality, so no delicate knowledge will be accessed,” stated Kev Breen, senior director of menace analysis at cybersecurity platform maker Immersive, in an e-mail to TechRepublic. “Nevertheless, it will probably severely have an effect on knowledge integrity and availability.”
One vulnerability scores CVSS 9.0
The best CVSS rating addressed within the February patch pack is CVE-2025-21198, rated at 9.0. This CVE may let a menace actor carry out a distant assault towards a Linux agent in Excessive Efficiency Computing clusters. Nevertheless, it solely works if the attacker already has entry to the community the cluster is hooked up to.
“This networking requirement ought to restrict the influence of what would in any other case be a extra critical vulnerability,” Reguly stated.
SEE: Microsoft PowerToys now consists of Sysinternals’ ZoomIT, a display screen recording software meant for technical displays.
Microsoft patches spoofing bug affecting all consumer and server variations
CVE-2025-21377 was already publicly disclosed, however the patch is rolling out right now. With this vulnerability a menace actor may reveal a person’s NTLMv2 hash, letting the attacker spoof the person’s identification. Walters stated any group utilizing Home windows methods that don’t solely depend on Kerberos for authentication is in danger.
CVE-2025-21377 is “one other CVE to patch sooner somewhat than later,” Breen stated.
“The person doesn’t need to open or run the executable however merely viewing the file in Explorer could possibly be sufficient to set off the vulnerability,” stated Breen. “This particular vulnerability is called an NTLM relay or pass-the-hash assault and this model of assault is a favourite for menace actors because it permits them to impersonate customers within the community.”
Lastly, Ben McCarthy, lead cybersecurity engineer at Immersive, identified CVE-2025-21381, a vulnerability permitting for distant code execution in Excel.
“Excel vulnerabilities are significantly harmful as a result of Excel macros and embedded scripts have traditionally been a significant assault vector for APT teams, ransomware operators, and monetary fraud campaigns, typically bypassing conventional safety defenses,” McCarthy stated.
Different main patches throughout manufacturers
As Walters identified, Chrome 131 landed just lately, bringing patches for a number of reminiscence vulnerabilities. Not one of the vulnerabilities Google recognized have been exploited. Apple has additionally began rolling out iOS 18.3.1, which features a repair for a bodily assault which will have been exploited towards particular people. Ivanti advisable admins to look at for updates from Google Chrome and Microsoft Edge this week.
“Browsers are a first-rate goal for attackers to focus on customers,” IT software program firm Ivanti’s vice chairman of product administration for safety merchandise Chris Goettl wrote in a weblog put up. “Whereas together with browsers in your month-to-month replace course of is advisable, it leaves lots of CVEs uncovered in between cycles. It’s advisable to maneuver browsers to a weekly Precedence Updates cadence.”
Final however not least, Adobe launched updates for InDesign, Photoshop Components, Illustrator, and extra.