February brings 56 Patch Tuesday fixes from Microsoft

Two zero-day flaws are among the 56 security vulnerabilities Microsoft addressed with its Patch Tuesday update for February.

The latest edition of the monthly security dump is largely comprised of flaws rated as "important risks," with just three bugs given a "critical" severity classification.

The two zero days, which both classified as being "important" level risks, are already being targeted for exploit in the wild.

Among the most fascinating to experts is CVE-2025-21391. Listed as an elevation of privilege vulnerability, the flaw is found in the Windows Storage component. An attacker who exploited the bug would be able to arbitrarily write and, more importantly, delete data from a vulnerable storage device.

“While we’ve seen similar issues in the past, this does appear to be the first time the technique has been exploited in the wild,” explained Dustin Childs, a researcher with the Trend Micro ZDI.

“It’s also likely paired with a code execution bug to completely take over a system.”

The second vulnerability, CVE-2025-21418, is also an elevation of privilege flaw. In this case, a successful exploit would allow the attacker to escalate their account access from low-level to total system takeover.

Experts noted that this CVE-2025-21418 could be linked to another CVE issue in the Windows Ancillary Function Driver for WinSock first reported nearly two years ago.

“This vulnerability may be linked to CVE-2023-21768, which was exploited through improper handling of user-mode inputs,” noted Henry Smith, senior security director at Automox.

“By sending a malicious I/O request to the AFD driver, a low-privilege user could escalate their access to system-level privileges.”

Thankfully for administrators and network defenders, none of the three flaws marked "critical" this month have been exploited in the wild, though that will likely change in the coming days as the flaws become known to threat actors.

Critical flaws in the February update include CVE-2025-21379 in Windows DHCP, CVE-2025-21177 in Dynamics 365 Sales, and CVE-2025-21376 in the LDAP protocol. Though these flaws have yet to be actively exploited, the possibility for remote code execution should make them a top priority for testing and deployment.

While 56 flaws is nothing to sneer at, this month’s release pales in comparison to January’s Patch Tuesday release, which saw Microsoft address an eye-watering 159 CVE-listed vulnerabilities.

“After a couple of record-breaking releases, this volume of fixes is more in line with expectations,” Childs noted. “Let’s hope this trend, rather than monster releases, remains the norm for 2025.”