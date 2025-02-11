Microsoft corrected two Windows zero-days and issued a revision for an older zero-day that threatens the latest Windows desktop and server versions.

Microsoft released 56 new CVEs for February Patch Tuesday, with three rated critical. The company also rereleased four older vulnerabilities with updated patches, including a fix for a Secure Boot flaw.

Microsoft plugs two new and one old zero-day The first new zero-day is a Windows Ancillary Function Driver for WinSock elevation-of-privilege vulnerability (CVE-2025-21418) rated important with a CVSS score of 7.8. This bug affects all currently supported Windows desktop and server systems. The attack vector is local, meaning the attacker needs local access -- physically or remotely, using a method such as SSH -- and does not require user interaction. A successful exploit can give the attacker system privileges. "This is the nastiest elevation of privilege that gives the attacker control of the box," said Chris Goettl, vice president of product management for security products at Ivanti. "Risk-based prioritization would warrant treating this as a higher severity, so critical rather than important, because it's being actively targeted." Goettl said it's only a matter of time before the exploit code becomes widely available, which should push admins to patch their Windows systems quickly. The second new zero-day is a Windows Storage elevation-of-privilege vulnerability (CVE-2025-21391) rated important with a CVSS rating of 7.1. This flaw affects Windows Server editions from Windows Server 2016 and later and desktop editions, including Windows 10 and later versions. To exploit the vulnerability, the attacker needs only local access to the network with low privileges. If successful, the attacker can delete files on a system to cause service disruptions and possibly perform other actions, such as elevating their privileges. A Windows zero-day Microsoft first addressed in May 2023 resurfaced for February Patch Tuesday. Microsoft delivered a revision for a Secure Boot security feature bypass vulnerability (CVE-2023-24932) to include more affected systems: Windows 11 versions 22H2, 23H2 and 24H2, and Windows Server 2025.

Microsoft addresses two publicly disclosed vulnerabilities The first publicly disclosed vulnerability is an NTLM Hash Disclosure spoofing vulnerability (CVE-2025-21377) rated important with a 6.5 CVSS score. This flaw affects most Windows desktop and server systems. Microsoft tagged this vulnerability with an "exploitation more likely" assessment. Microsoft's CVE notes indicate attackers can exploit this vulnerability across the internet, and it requires only minimal user interaction, such as a right-click on a malicious file, to trigger the exploit. Admins who deploy the "security only" updates on older Windows Server systems must apply the Internet Explorer cumulative update to protect the MSHTML, EdgeHTML and scripting platforms. "It's not actively being exploited in the wild, but there is confirmed exploit code, so the likelihood of somebody finding the code and trying to weaponize it means the bar is much lower," Goettl said. In June 2024, Microsoft added the NTLM authentication protocol to its deprecated features list. While NTLM will continue to work, it is no longer under active development. Microsoft advises customers to seek more secure user authentication methods, such as Kerberos, and avoid falling back on NTLM. The other public disclosure is a Microsoft Surface security feature bypass vulnerability (CVE-2025-21194) rated important for several Surface products, including the Microsoft Surface Hub and Surface laptops. This vulnerability has a CVSS rating of 7.1 To exploit this vulnerability, an attacker must overcome several technical hurdles, such as gaining access to a restricted network and forcing the user to reboot the device.