February 2025 Patch Tuesday: Four Zero-Days and Three Critical Vulnerabilities Among 67 CVEs

Microsoft has released security updates for 67 vulnerabilities in its February 2025 Patch Tuesday rollout. Among these are three Critical vulnerabilities and four zero-days affecting the Windows NTLMv2 hash, Windows Storage, and Windows Ancillary Function Driver, as well as Microsoft Surface devices.

February 2025 Risk Analysis

This month’s leading risk type by exploitation technique is remote code execution (RCE) at 42%, followed by elevation of privilege (32%). Note: Eight of the vulnerabilities affect Azure Linux, but Microsoft did not provide severities so they are therefore not included in Figure 1.

Actively Exploited Zero-Day Vulnerability in Windows Ancillary Function Driver for WinSock

Windows Ancillary Function Driver for WinSock received a patch for CVE-2025-21418, which has a severity of Important and a CVSS score of 7.8. Windows Ancillary Function Driver for WinSock is primarily responsible for handling network-related functions. This elevation of privilege vulnerability allows an attacker to gain SYSTEM privileges. Microsoft has indicated the vulnerability is a result of heap-based buffer overflow but has not shared other details or source of disclosure.

Actively Exploited Zero-Day Vulnerability in Windows Storage

Windows Storage received a patch for CVE-2025-21391, which has a severity of Important and a CVSS score of 7.1. This elevation of privilege vulnerability allows an attacker to delete targeted files on a system. The vulnerability does not allow disclosure of data but could disrupt services if critical files are deleted.

Publicly Disclosed Zero-Day Vulnerabilities in Microsoft Surface and Windows

Microsoft Surface devices received a patch for CVE-2025-21194, which has a severity of Important and a CVSS score of 7.1. Successful exploitation of this highly complex vulnerability hinges on the convergence of multiple factors, including specific application behavior, user actions, function parameter manipulation, and integrity level token impersonation.

Windows received a patch for CVE-2025-21377, which has a severity of Important and a CVSS score of 6.5. This vulnerability can lead to total loss of confidentiality by exposing a user's NTLMv2 hash, potentially allowing an attacker to authenticate as the user.It requires minimal user interaction with a malicious file. 

This vulnerability impacts all Windows versions. While Microsoft has announced retirement of the Internet Explorer 11 application on certain platforms and the Microsoft Edge Legacy application is deprecated, the underlying MSHTML, EdgeHTML, and scripting platforms are still supported. Internet Explorer (IE) Cumulative updates are included for some servers due to ongoing support for MSHTML, EdgeHTML, and scripting platforms. For full protection, Microsoft recommends installing both Security Only Windows updates and IE Cumulative updates. This vulnerability's easy exploitation and high risk demand urgent mitigation and patching.

Critical Vulnerability in Windows Lightweight Directory Access Protocol 

CVE-2025-21376 is a Critical RCE vulnerability affecting Windows Lightweight Directory Access Protocol (LDAP) and has a CVSS score of 8.1. This high-complexity vulnerability requires an attacker to win a race condition for successful exploitation. An unauthenticated attacker could exploit it by sending a specially crafted request to a vulnerable LDAP server, potentially causing a buffer overflow that could lead to remote code execution. 

Microsoft recommends that all Active Directory servers be configured to not accept remote procedure calls (RPCs) from untrusted networks in addition to patching this vulnerability. Due to the ease of exploitation and the significant risk this vulnerability poses to the Active Directory environment, it should be mitigated and patched quickly.

Critical Vulnerability in Microsoft Excel

CVE-2025-21381 is a Critical RCE vulnerability affecting Microsoft Excel and has a CVSS score of 7.8. Despite being classified as a local attack vector in CVSS, this vulnerability can lead to remote code execution because the attacker can be remote while the exploit occurs locally on the victim's machine. The vulnerability could be triggered via the Preview Pane in affected applications, as we have seen many times in similar vulnerabilities (April 2023, July 2023, December 2023, October 2024, January 2025).

Critical Vulnerability in Dynamic Host Configuration Protocol Client Service

CVE-2025-21379 is a Critical RCE vulnerability with a CVSS score of 7.1 and affects the DHCP (Dynamic Host Configuration Protocol) Client Service. This high-complexity vulnerability requires the attacker to perform a machine-in-the-middle attack, injecting themselves between the target and the requested resource. The attack is limited to systems on the same network segment as the attacker, restricting its scope to a local area network rather than across multiple networks.

Patch Tuesday Dashboard in the Falcon Platform

For a visual overview of the systems impacted by this month’s vulnerabilities, you can use our newly available Patch Tuesday dashboard. This can be found in the CrowdStrike Falcon® platform within the Exposure Management > Vulnerability Management > Dashboards page. The preset dashboards show the most recent three months of Patch Tuesday vulnerabilities.

Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies

As we have learned with other notable vulnerabilities, such as Log4j, not every highly exploitable vulnerability can be easily patched. As is the case for the ProxyNotShell vulnerabilities, it’s critically important to develop a response plan for how to defend your environments when no patching protocol exists. 

Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization's methods for cybersecurity and improve your overall security posture. 

The CrowdStrike Falcon platform regularly collects and analyzes trillions of endpoint events a day from millions of sensors deployed across 176 countries. Watch this demo to see the Falcon platform in action.

Learn More

CrowdStrike Falcon® Exposure Management can help you quickly and easily discover and prioritize vulnerabilities and other types of exposures — learn more here.

About CVSS Scores

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article. 

Additional Resources

• For more information on which products are in Microsoft’s Extended Security Updates program, refer to the vendor guidance here.
• See how Falcon Exposure Management can help you discover and manage vulnerabilities and other exposures in your environments. 
• Learn how CrowdStrike’s external attack surface module, CrowdStrike® Falcon Surface™, can discover unknown, exposed and vulnerable internet-facing assets, enabling security teams to stop adversaries in their tracks.
• Learn how CrowdStrike Falcon® Identity Protection products can stop workforce identity threats faster. 
• Make prioritization painless and efficient. Watch how CrowdStrike Falcon® Spotlight enables IT staff to improve visibility with custom filters and team dashboards. 
• Test CrowdStrike next-gen antivirus for yourself with a free trial of CrowdStrike® Falcon Prevent™.