Microsoft fixes four zero days and wormable RCE on slimline Patch Tuesday
"Treat this as an impending exploitation. Test and deploy the patch quickly."
Microsoft has fixed 57 CVEs, including four zero days and a wormable RCE, on a relatively modest Patch Tuesday compared to a January security splurge that addressed almost 160 vulnerabilities.
The wormable Remote Code Execution (RCE) bug is CVE-2025-21376, impacting the Windows Lightweight Directory Access Protocol (LDAP). The vulnerability has a CVSS score of 8.1 and allows a remote, unauthenticated attacker to execute code by sending a maliciously crafted request. Microsoft said exploitation was likely, urging prompt patching.
"Since there’s no user interaction involved, that makes this bug wormable between affected LDAP servers," the Zero Day Initiative wrote. "I would treat this as an impending exploitation. Test and deploy the patch quickly."
Two of the zero-day vulnerabilities are now being actively exploited in the wild. The first, CVE-2025-21418, has a CVSS score of 7.8 and is an elevation of privilege vulnerability in the Windows Ancillary Function Driver (AFD), which is part of the Windows Sockets (WinSock) API. An attacker can exploit this flaw by executing a specially crafted program to gain system-level privileges. The vulnerability affects machines running Windows 10, Windows 11, and multiple versions of Windows Server.
The second is CVE-2025-21391, an elevation of privilege flaw in Windows storage. It is a privilege escalation vulnerability in Windows Storage, carrying a CVSS score of 7.1. It allows a local attacker to delete certain files, though the exact conditions under which this can occur remain unclear. Because Windows Storage is integral to Windows Server, this vulnerability raises concerns about the potential deletion of critical data relied upon by applications.
Satnam Narang, Senior Staff Research Engineer at Tenable, said: "Both flaws appear to be post-compromise related, which means an attacker would need to obtain local access to a vulnerable system through other means, like exploiting another vulnerability for initial access, some type of social engineering, or compromised/weak credentials."
He added: "Since 2022, there have been nine elevation of privilege vulnerabilities in the Ancillary Function Driver for WinSock, three each year, including one in 2024 that was exploited in the wild as a zero day (CVE-2024-38193).
"According to reports, CVE-2024-38193 was exploited by the North Korean APT group known as Lazarus Group (also known as Hidden Cobra or Diamond Sleet) to implant a new version of the FudModule rootkit in order to maintain persistence and stealth on compromised systems.
"At this time, it is unclear if CVE-2025-21418 was also exploited by Lazarus Group.""Conversely, there have been seven elevation of privilege bugs categorized as Windows Storage, including two in 2022, one in 2023 and four in 2024, though this is the first to be categorized as exploited in the wild as a zero day."
What was the most serious CVE in February's Patch Tuesday?
CVE-2025-21198 stands out as the most severe vulnerability in Microsoft’s February security updates, receiving a CVSS score of 9.0. This flaw poses a significant risk to high-performance computing (HPC) environments and enables remote code execution - although it's not necessarily an easy one to exploit.
To exploit it, an attacker would need network access to the targeted HPC cluster. However, once compromised, the vulnerability could potentially spread to other clusters and nodes within the same network, amplifying its impact.
Another key fix addresses CVE-2025-21379, a Windows DHCP Client Service vulnerability present across all Windows builds. With a CVSS score of 7.1, this flaw is challenging to exploit, requiring an attacker to map the network and execute a machine-in-the-middle (MITM) attack with precision. If an attacker reaches this stage, they could already have wide-ranging access to the target infrastructure.
Office users received multiple security fixes, including patches for remote code execution flaws and a spoofing vulnerability, whilst there were six patches for Windows Telephony users, each rated important with CVSS scores of 8.8.
Microsoft also rolled out five security patches for Excel, each rated 7.8 on the CVSS scale. While four are classified as important, CVE-2025-21381 has been singled out as a critical patching priority. This vulnerability enables remote code execution, though it’s technically categorized as a local attack. The “remote” aspect stems from how the exploit is delivered. An attacker could trick a user into opening a malicious file, leading to arbitrary code execution.
Additionally, CVE-2025-21177, a privilege escalation flaw in Dynamics 365, carries a CVSS rating of 8.7 and is considered critical by Microsoft. Fortunately, this vulnerability has already been fully mitigated, requiring no further action from users.
Have you got a story or insights to share? Get in touch and let us know.
