February 2025 Patch Tuesday has arrived, bringing with it a significant update from Microsoft that addresses 56 vulnerabilities, including two critical zero-day exploits currently under active attack: CVE-2025-21418 and CVE-2025-21391.
CVE-2025-21418 and CVE-2025-21391
CVE-2025-21418 is a vulnerability found in the Windows Ancillary Function Driver (AFD.sys), which plays a crucial role in enabling Windows applications to connect to the internet via the Windows Sockets API. This vulnerability can be exploited by attackers to elevate their privileges on the target system. Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, explains, “An authenticated user would need to run a specially-crafted program that ends up executing code with SYSTEM privileges. These types of bugs are often paired with a code execution bug to gain full control of a system.”
Since 2022, there have been nine elevation of privilege vulnerabilities associated with the Ancillary Function Driver for WinSock, with only one previously exploited in the wild as a zero-day (CVE-2024-38193). Satnam Narang, senior staff research engineer at Tenable, notes that this particular vulnerability was leveraged by the North Korean APT group, Lazarus Group, to implant a new version of the FudModule rootkit for persistent stealth on compromised systems. The status of CVE-2025-21418’s exploitation by the same group remains uncertain.
CVE-2025-21391 impacts Windows Storage across various Windows and Windows Server versions. This elevation of privilege flaw could allow attackers to delete targeted files on a system, potentially leading to service disruptions. However, it also poses a risk for privilege escalation, as highlighted by ZDI researcher Simon Zuckerbraun. Childs remarks, “While we’ve seen similar issues in the past, this does appear to be the first time the technique has been exploited in the wild. It’s likely paired with a code execution bug to fully compromise a system.” Users are advised to promptly test and deploy the patch addressing this vulnerability. The two zero-days have been included in CISA’s Known Exploited Vulnerabilities catalog.
Other vulnerabilities of note
Among the other vulnerabilities addressed this month, CVE-2025-21194 stands out as a security feature bypass vulnerability affecting Microsoft Surface laptops. Additionally, CVE-2025-21377, which involves an NTLMv2 hash disclosure vulnerability, has been marked as “publicly disclosed.” This particular flaw could enable attackers to authenticate as legitimate users, posing a significant risk to organizations that do not rely solely on Kerberos for authentication, according to Mike Walters, President of Action1.
Furthermore, CVE-2025-21376 is a critical remote code execution vulnerability arising from multiple weaknesses. It could be exploited by unauthenticated attackers through specially crafted requests sent to vulnerable Windows Lightweight Directory Access Protocol (LDAP) servers. Childs warns, “Since there’s no user interaction involved, this bug is wormable between affected LDAP servers. Microsoft lists this as ‘Exploitation Likely’, so even though this may be unlikely, I would treat this as an impending exploitation.”
