Microsoft’s February patch release, while notably less extensive than January’s, still warrants careful scrutiny. This month, the tech giant has rolled out a total of 63 patches, including six that were previously released. Among these, two vulnerabilities have already been identified as actively exploited.
Both vulnerabilities necessitate local access and authentication for exploitation. The first, CVE-2025-21418, carries a CVSS score of 7.8 and pertains to an elevation of privilege vulnerability within the Windows Ancillary Function Driver for Winsock. This flaw enables an attacker to execute a specially crafted program, thereby gaining SYSTEM-level privileges on affected systems running Windows 10, 11, and various Windows Server versions.
The second vulnerability, CVE-2025-21391, is rated at 7.1 and also involves elevation of privilege. This issue affects Windows Storage, allowing a local attacker to delete files under certain ambiguous conditions. Given that Windows Storage is integral to Windows Server, the implications for data-dependent applications could be significant.
Additionally, Microsoft has disclosed two vulnerabilities that, while publicly known, have not yet been exploited. Surface device users should pay particular attention to CVE-2025-21194, which has a CVSS score of 7.1. This vulnerability exposes certain PCs to potential hypervisor and secure kernel compromises. However, exploiting this flaw is contingent upon several specific conditions, including particular application behaviors and user actions.
The other known vulnerability, CVE-2025-21377, poses a risk of leaking a user’s NTLMv2 hash. Rated at 6.5, this flaw is particularly troublesome as it can be triggered by minimal user interaction, such as selecting or right-clicking a file.
Among the vulnerabilities highlighted this month, CVE-2025-21198 stands out with a CVSS rating of 9.0. This critical flaw could have dire consequences for high-performance computing infrastructures, enabling remote code execution. While an attacker would need access to the network of a targeted HPC cluster, the potential for widespread impact across connected clusters and nodes is alarming.
Excel users are advised to address five patches released this month, all rated at 7.8. Notably, CVE-2025-21381 is prioritized by Microsoft due to its potential for remote code execution, albeit through local attack vectors. This vulnerability could be exploited via social engineering tactics, tricking users into opening malicious files.
Another vulnerability of concern is CVE-2025-21379, affecting the DHCP Client Service across all Windows builds. Although difficult to exploit, this 7.1-rated flaw requires meticulous network mapping and execution of a machine-in-the-middle attack.
Domain controllers get tough
As of February 11, administrators must remain vigilant regarding Microsoft’s updates to certificate-based authentication on domain controllers. By February 2025, if the StrongCertificateBindingEnforcement registry key is not configured, domain controllers will transition to Full Enforcement mode. This shift means that any certificate failing to meet strong mapping criteria will result in denied authentication.
While the option to revert to Compatibility mode will remain until September 2025, it is crucial for administrators to reconfigure certificate mappings as necessary. Conflicts, such as overlapping User Principal Names (UPNs) with sAMAccountNames, may require attention.
Post-patch installation, administrators should monitor audit logs for unusual Event IDs that could signal problematic certificates, serving as an early warning system.
Interestingly, CVE-2025-21177, a CVSS 8.7 flaw allowing elevation of privileges against Dynamics 365, has already been fully mitigated by Microsoft, requiring no further action from users. For those utilizing Windows Telephony, six important patches await, all rated at 8.8. Office users will also benefit from multiple patches addressing various vulnerabilities, including remote code execution and spoofing issues.
Other vendors patch, too
As is customary on Patch Tuesday, Adobe has contributed to the patch workload with 45 updates, though notably, there are no Acrobat patches this month. Of these, 31 address vulnerabilities in Adobe Commerce, targeting cross-site scripting (XSS) bugs, security feature bypasses, and critical code execution flaws. Users of the open-source Magento software should prioritize these updates, given the platform’s frequent targeting by attackers.
InDesign has received seven bug fixes, four of which are rated critical, while Illustrator has three critical-rated vulnerabilities that could lead to arbitrary code execution when handling malicious files. Substance 3D and InCopy each receive a critical-rated code execution fix, and Photoshop Elements is patched for an important-rated privilege escalation flaw relevant to macOS on Arm.
SAP has issued 21 individual patches, with CVSS scores ranging from 8.8 to 3.1, primarily affecting NetWeaver and addressing a cross-site scripting issue. Additionally, SAP’s Enterprise Project Connection has received a patch to rectify multiple issues.
Fortinet has also released security updates for various products, notably addressing a critical authentication bypass vulnerability in FortiOS and FortiProxy. With a CVSS score of 9.6, this vulnerability is a strong candidate for immediate attention in upcoming change windows.
