Full Report
Microsoft on Tuesday released fixes for 63 security flaws impacting its software products, including two vulnerabilities that it said has come under active exploitation in the wild. Of the 63 vulnerabilities, three are rated Critical, 57 are rated Important, one is rated Moderate, and two are rated Low in severity. This is aside from the 23 flaws Microsoft addressed in its Chromium-based Edge
Analysis Summary
# Complexity: February 2025 Microsoft Patch Tuesday Summary
This summary focuses on the disclosed and actively exploited vulnerabilities from the February 2025 Microsoft Patch Tuesday update, alongside other significant patches mentioned.
## CVE Details
* **CVE ID:** CVE-2025-21391
* **CVSS Score:** 7.1 (Important)
* **CWE:** Not explicitly listed in the description, but implied to be related to file handling/permissions.
* **CVE ID:** CVE-2025-21418
* **CVSS Score:** 7.8 (Important)
* **CWE:** Privilege Escalation (related to AFD.sys).
* **CVE ID:** CVE-2025-21198
* **CVSS Score:** 9.0 (Critical)
* **CVE ID:** CVE-2025-21376
* **CVSS Score:** 8.1 (High)
* **CVE ID:** CVE-2025-21377
* **CVSS Score:** 6.5 (Moderate/Important)
*Total Microsoft Flaws Fixed: 63 (3 Critical, 57 Important, 1 Moderate, 2 Low).*
*Microsoft Edge Flaws Fixed: 23 (in addition to the 63).*
## Affected Systems
* **Products (Focusing on Exploited & High Severity):** Windows components (Storage, Ancillary Function Driver for WinSock - AFD.sys, Windows Kernel/AppLocker context similarities), Microsoft High Performance Compute (HPC) Pack, Windows Lightweight Directory Access Protocol (LDAP).
* **Versions:** Not specified in detail, but applies to general Microsoft products receiving the February 2025 security updates.
* **Configurations:**
* **CVE-2025-21198 (HPC Pack RCE):** Targets the head node or Linux compute node via a specially crafted HTTPS request.
* **CVE-2025-21376 (LDAP RCE):** Requires winning a race condition.
## Vulnerability Description
The February update addresses two **actively exploited zero-day vulnerabilities**:
1. **CVE-2025-21391 (Windows Storage EoP):** Allows an attacker to delete targeted files on the system. This denial of service/data destruction impacts availability and can be chained with other flaws to aid in privilege escalation and forensic artifact deletion.
2. **CVE-2025-21418 (AFD.sys EoP):** A privilege escalation vulnerability in the Ancillary Function Driver for WinSock (AFD.sys) that attackers can leverage to achieve **SYSTEM privileges**. This bypasses the need for BYOVD attacks by exploiting native Windows drivers.
Other key vulnerabilities include:
* **CVE-2025-21198 (Critical RCE in HPC Pack):** Allows remote code execution on head nodes or connected Linux compute nodes via crafted HTTPS requests.
* **CVE-2025-21376 (RCE in Windows LDAP):** An RCE flaw in LDAP that requires beating a race condition. Success could enable lateral movement and domain compromise due to LDAP's role in AD authentication.
* **CVE-2025-21377 (NTLMv2 Hash Disclosure):** Allows an attacker to authenticate as the targeted user by obtaining their NTLMv2 hash.
## Exploitation
* **Status:** **Exploited in the Wild** for CVE-2025-21391 and CVE-2025-21418.
* **Complexity (Inferred):**
* CVE-2025-21391 & CVE-2025-21418: Medium/High (as they are being actively weaponized, likely via chaining).
* CVE-2025-21376: High (due to the requirement to win a race condition).
* **Attack Vector:** Network (RCEs), Local (EoPs).
## Impact
* **Confidentiality:** Potential disclosure via LDAP RCE chaining (CVE-2025-21376) or NTLMv2 disclosure (CVE-2025-21377).
* **Integrity:** Deletion of targeted files (CVE-2025-21391), potential for privilege escalation to SYSTEM (CVE-2025-21418).
* **Availability:** Data deletion leading to service unavailability (CVE-2025-21391).
## Remediation
### Patches
Microsoft has released fixes for all 63 vulnerabilities addressed in the February 2025 security update. Specific version rollouts should be verified via the Microsoft Update Guide. Patching is **URGENT** for CVE-2025-21391 and CVE-2025-21418.
### Workarounds
No explicit workarounds were detailed for the two exploited EoP flaws in the summary, but for CVE-2025-21376, mitigating race condition exploitation is implicitly handled by patching.
## Detection
* **Indicators of Compromise:** Related to file deletion activity potentially preceding an elevation of privilege. Look for atypical SYSTEM-level file manipulation.
* **Detection Methods and Tools:** CISA has added **CVE-2025-21391** and **CVE-2025-21418** to its **Known Exploited Vulnerabilities (KEV) catalog**. Federal agencies must patch by March 4, 2025. Monitoring for exploitation attempts targeting HPC Pack or unusual HTTPS traffic to compute nodes should be prioritized.
## References
* [Microsoft Security Update Guide Release Note (February 2025)](msrc.microsoft.com/update-guide/releaseNote/2025-Feb) (Defanged)
* [CISA KEV Catalog Update](www.cisa.gov/news-events/alerts/2025/02/11/cisa-adds-four-known-exploited-vulnerabilities-catalog) (Defanged)
* [Action1 Analysis Link](www.action1.com/patch-tuesday/patch-tuesday-february-2025/) (Defanged)
* **Other Vendors Patched:** Adobe, AWS, Apple, Arm, ASUS, AutomationDirect, Debian, Edge, Oracle Linux, Red Hat, Rocky Linux, SUSE, Ubuntu, MediaTek, Mitel, Mitsubishi Electric, Mozilla (Firefox, ESR, Thunderbird), NVIDIA, OpenSSL, Palo Alto Networks, Progress Software, QNAP, Salesforce, Samsung, SAP, Schneider Electric, Siemens, SolarWinds, SonicWall, Synology, Trimble Cityworks, Veeam, Veritas, Zimbra, Zoom, Zyxel.