A dangerous flaw in how Windows environments handle Kerberos service ticket requests one that significantly expands the practical attack surface for Kerberos relaying in Active Directory.
Continue Reading
Summary : CrowdStrike recently disclosed and released patches for two medium-severity vulnerabilities affecting its Falcon sensor for Windows systems, identified as CVE-2025-42701 and CVE-2025-42706. These vulnerabilities allow attackers who already have code execution privileges on a targeted Windows host to delete arbitrary files, potentially destabilizing the Falcon sensor, other installed software, or even the operating system itself.
| OEM | CrowdStrike |
| Severity | Medium |
| CVSS Score | 6.5 |
| CVEs | CVE-2025-42701, CVE-2025-42706 |
| POC Available | No |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
Notably, Falcon sensors for macOS and Linux are not affected, Users & Administrator using falcon sensor for windows update to the latest version.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Time-of-check Time-of-use (TOCTOU) Race Condition Vulnerability | CVE-2025-42701 | CrowdStrike Falcon Sensor for Windows | Medium | 7.28.20008 and later 7.27.19909 7.26.19813 7.25.19707 7.24.19608 7.16.18637 (WIN7/2008 R2 only) |
| Origin Validation Logic Error Vulnerability | CVE-2025-42706 | CrowdStrike Falcon Sensor for Windows | Medium |
Technical Summary
The Falcon Sensor for Windows was found to contain security flaws that could permit a locally authenticated attacker with existing code execution privileges to delete arbitrary files on the affected system.
Race condition vulnerability caused by improper synchronization in the software’s operation timing, while the other vulnerability results from a logical error affecting file handling processes.
These issues could lead to significant disruption of security functions or system stability. Prompt remediation has been issued by CrowdStrike and there is currently no evidence of exploitation in active environments.
| CVE ID | Platform Affected | Vulnerability Details | Impact |
| CVE-2025-42701 | CrowdStrike Falcon Sensor for latest Windows, Windows 7, Windows Server 2008 | Time-of-check Time-of-use (TOCTOU) race condition due to a timing gap in handling file operations, which allows an attacker with prior local code execution to delete arbitrary files on the host system. | Sensor disruption and file deletion. |
| CVE-2025-42706 | CrowdStrike Falcon Sensor for latest Windows, Windows 7, Windows Server 2008 | A logic error related to origin validation in the Falcon sensor’s file handling, enabling an attacker with existing code execution abilities to delete arbitrary files. | Sensor disruption and file deletion. |
Recommendations
Update CrowdStrike Falcon Sensor for Windows to the following patched versions or latest one
Implement the following best practices to enhance overall security posture
Conclusion:
CrowdStrike identified and promptly addressed two vulnerabilities in widely used falcon endpoint protection sensor for Windows. These issues, if left unpatched, could allow an attacker with existing local access to disrupt system stability by deleting critical files.
There is no active exploitation has been detected & CrowdStrike already released the patches. Users are strongly encouraged to apply the latest patches and follow best security practices to maintain system integrity and resilience against potential threats.
References:
September 2025 Patch Tuesday update, addressing 86 security issues in products like Microsoft Windows, Microsoft Office etc.
This includes two publicly known zero-day bugs in the Windows SMB Server and another in Newtonsoft.Json. Here are the CVE addressed for Microsoft & non-Microsoft.
Organizations are strongly encouraged to prioritize patching of systems tied to network services, virtualization and productivity tools to mitigate risks of exploitation.
| OEM | Microsoft |
| Severity | Critical |
| Date of Announcement | 2025-09-09 |
| No. of Patches | 86 |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
Here are the CVE addressed for Microsoft & non-Microsoft
Breakdown of September 2025 Vulnerabilities
| Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
| Windows SMB Elevation of Privilege Vulnerability | CVE-2025-55234 | Windows Server, Windows 10, 11 | High | 8.8 |
| Improper Handling of Exceptional Conditions in Newtonsoft.Json | CVE-2024-21907 | Microsoft SQL Server | High | 7.5 |
Technical Summary
September 2025 Patch Tuesday includes security updates addressing denial-of-service and privilege escalation vulnerabilities in commonly used libraries and services.
One of the publicly disclosed zero-day CVE-2024-21907 affects the popular .NET library Newtonsoft.Json, where deserialization of crafted JSON can lead to application crashes.
Additionally, CVE-2025-55234 highlights a potential for relay attacks in SMB Server configurations that lack hardening measures such as signing and Extended Protection for Authentication (EPA). Microsoft advises assessing current SMB deployments using new audit capabilities introduced in this month’s updates.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-55234 | Microsoft SMB Server | Lack of hardening (signing & EPA) in SMB Server can allow attackers to perform relay attacks, potentially resulting in elevation of privilege. | Privilege Escalation |
| CVE-2024-21907 | Newtonsoft.Json < 13.0.1 | Improper handling of crafted input to JsonConvert.DeserializeObject may trigger a StackOverflowException, leading to a denial-of-service condition. | Denial of Service |
Source: Microsoft and NVD
In addition to the publicly disclosed zero day vulnerability, several other Critical & High severity issues were addressed
Key Affected Products and Services
The September 2025 security updates address critical and important vulnerabilities across a broad range of Microsoft products and services:
Includes updates for Windows Kernel, NTFS, TCP/IP, Defender Firewall, LSASS, BitLocker, NTLM, Win32K, and RRAS (Routing and Remote Access Service), with several vulnerabilities rated CVSS 8.8 or higher.
Patches released for Excel, Word, PowerPoint, Visio, and SharePoint addressing RCE and information disclosure issues, especially through Preview Pane vectors.
Fixes affect Azure Virtual Machine Agent, Azure Arc, and High-Performance Compute Pack (HPC).
Multiple vulnerabilities in Hyper‑V and Virtual Hard Drive components, including privilege escalation and denial-of-service risks.
Patches applied to PowerShell, AutoZone, Windows Management Services and Capability Access Management, addressing local privilege escalation.
Updates cover SMB, SMBv3, MSMQ and Connected Devices Platform, with critical RCE and lateral movement vectors in enterprise environments.
Microsoft Edge (Chromium-based) updates, along with republished Chrome CVEs for continued coverage of known browser threats.
Remediation:
Apply Patches Promptly: Install the September 2025 security updates immediately to mitigate risks.
Conclusion:
Microsoft’s September 2025 Patch Tuesday addresses 86 vulnerabilities, including several critical and high rated issues across Windows, Office, Hyper-V and Azure components etc.
Notably, multiple flaws affect Windows Routing and Remote Access Service (RRAS), SQL Server, and Microsoft High Performance Compute Pack (HPC), with potential for remote code execution (RCE) and privilege escalation.
Microsoft fixed an elevation of privileges flaw in SMB Server that is exploited through relay attacks.
“SMB Server might be susceptible to relay attacks depending on the configuration. An attacker who successfully exploited these vulnerabilities could perform relay attacks and make the users subject to elevation of privilege attacks,” explains Microsoft.
References:
Microsoft Patch Tuesday : Key points:
119 vulnerabilities discovered & 13 are classified as Critical rating meaning as per Microsoft’ they could be abused by malware or malcontents to gain remote access to a Windows system with little or no help from users.
CVE-2025-53779 is Windows Kerberos Elevation of Privilege Vulnerability
The vulnerabilities fall into multiple categories, including Remote Code Execution (RCE), Elevation of Privilege (EoP), Information Disclosure, Spoofing, Denial of Service (DoS), and Tampering. Below is a detailed breakdown of the vulnerabilities by category, along with key insights for organizations to prioritize their patching efforts.
| OEM | Microsoft |
| Severity | Critical |
| Date of Announcement | 2025-08-12 |
| No. of Patches | 119 |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
Microsoft has released security updates addressing 119 vulnerabilities in the August 2025 Patch Tuesday cycle, including one publicly disclosed zero-day in Windows Kerberos. Of these, 13 are classified as Critical, covering a wide range of products such as Windows components, Office, Azure, Exchange and SharePoint.
Breakdown of August 2025 Vulnerabilities
| Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
| Windows Kerberos Elevation of Privilege Vulnerability | CVE-2025-53779 | Windows Server 2025 | High | 7.2 |
Technical Summary
The August 2025 Patch Tuesday addresses a publicly disclosed zero-day vulnerability CVE-2025-53779 in Windows Kerberos.
This elevation of privilege flaw, related to improper path handling in domain-managed service accounts (dMSA), could allow a local attacker to gain domain administrator privileges.
Microsoft also patched several critical Remote Code Execution (RCE) vulnerabilities across Windows Graphics, GDI+, Office, DirectX, and Hyper-V. Many of these vulnerabilities require minimal or no user interaction, such as simply opening a file in the preview pane or processing crafted image or network messages, making them high-risk for enterprise environments.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-53779 | Microsoft Windows Server 2025 | Relative path traversal in Windows Kerberos allows an authorized attacker to elevate privileges over a network. | Privilege escalation |
Source: Microsoft and NVD
In addition to the publicly disclosed vulnerability, several other critical and high-severity issues were addressed:
Key Affected Products and Services
The vulnerabilities addressed in August 2025 impact a wide range of Microsoft products and services, including:
Includes fixes in Windows Server (Kerberos), Windows Graphics Component, GDI+, DirectX Graphics Kernel, NTLM, Hyper‑V, MSMQ, Remote Desktop and more.
Microsoft Office and Word, notably through Preview Pane RCE flaws, as well as SharePoint (RCE and EoP), Exchange Server (Privilege Escalation in hybrid setups) and Teams.
Critical issues in Azure Virtual Machines (spoofing and info disclosure), Azure Stack Hub and potentially Azure Portal.
Updates include vulnerabilities in Hyper‑V (RCE and privilege escalation) and DirectX graphics kernel components relevant to virtualization.
Fixes include vulnerabilities affecting Visual Studio and GitHub Copilot, reinforcing development environments.
Includes a critical RCE in Microsoft Message Queuing (MSMQ).
Remediation:
Conclusion:
Microsoft’s August 2025 Patch Tuesday, disclosed zero-day CVE-2025-53779 is another privilege escalation flaw in Windows Kerberos that stems from a case of relative path traversal. Akamai researcher Yuval Gordon has been credited with discovering and reporting the bug.
Aside from the vulnerabilities patched and disclosed in the regular monthly patch release for August, it is worth noting that one week ahead of the monthly update, Microsoft disclosed 4 vulnerabilities affecting Microsoft cloud services.
References:
The flaw, disclosed by researchers at Cyberdom Blog, poses a significant risk to millions of Windows users and organizations relying on windows.
| OEM | Windows |
| Severity | HIGH |
| CVSS Score | 7.8 |
| CVEs | CVE-2025-21204 |
| POC Available | Yes |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
A high-severity vulnerability in the Windows Update Stack, CVE-2025-21204, enables local attackers to escalate privileges to SYSTEM level by exploiting trusted path abuse through symbolic links. The flaw affects various versions of Windows 10, Windows 11, and Windows Server.
A working proof-of-concept (PoC) exploit has been publicly released by security researcher Elli Shlomo, increasing the urgency to patch. The issue is addressed in the April 2025 cumulative update KB5055523.
| Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
| Windows Update Stack Privilege Escalation | CVE-2025-21204 | Windows | HIGH | 7.8 |
Technical Summary
The vulnerability lies in how Windows Update processes such as MoUsoCoreWorker.exe and UsoClient.exe, which run with SYSTEM privileges, handle directory junctions. Attackers can delete the legitimate Tasks directory under C:\ProgramData\Microsoft\UpdateStack and replace it with a symbolic link pointing to an attacker-controlled path. This allows the execution of arbitrary code as SYSTEM without triggering traditional security mechanisms.
A public PoC developed by Elli Shlomo demonstrates this exploit using only native Windows features—no external binaries or code injection required.
This opens the door for a range of attacks, including installing persistent malware, disabling security tools, or accessing sensitive data.
| CVE ID | System Affected | Vulnerability Details | Exploit Prerequisites | Impact |
| CVE-2025-21204 | Windows 10 (10.0.10240.0 < 10.0.10240.20978, etc.), Windows 11, Server | Misuse of NTFS junctions allows local attackers to redirect C:\ProgramData\Microsoft\UpdateStack\Tasks to attacker-controlled locations. SYSTEM-level update processes follow these junctions and execute unauthorized code. | Attackers must have local access and limited user privileges; no user interaction required | Local privilege escalation, Code execution |
Source: Cyberdom
Recommendations:
Conclusion:
CVE-2025-21204 is an example of a rather low-level and impactful threat doing trusted path abuse rather than complex memory corruption. This vulnerability demonstrates how attackers will exploit trust assumptions built into the operating system via native components.
The only defenses available are to immediately patch and harden directory access controls to stop this low-level and minimally visible localized privilege escalation.
References:
Summary
Security researcher John Ostrowski of Compass Security has uncovered two privilege escalation vulnerabilities in Microsoft Windows CVE-2025-24076 and CVE-2025-24994.
DLL hijacking is a technique that exploits how Windows applications load DLLs.
| OEM | Windows |
| Severity | HIGH |
| CVSS Score | 7.3 |
| CVEs | CVE-2025-24994, CVE-2025-24076 |
| No. of Vulnerabilities Patched | 02 |
| Actively Exploited | Yes |
| Exploited in Wild | Yes |
| Advisory Version | 1.0 |
Overview
These flaws, found in the Mobile Devices management component, stem from insecure DLL loading behavior that could allow unprivileged users to escalate privileges to SYSTEM via a DLL hijacking attack. Microsoft has released fixes for both vulnerabilities as part of its March 2025 Patch Tuesday rollout.
| Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
| Windows Cross Device Service Elevation of Privilege Vulnerability | CVE-2025-24076 | Windows | HIGH | 7.3 |
| Windows Cross Device Service Elevation of Privilege Vulnerability | CVE-2025-24994 | Windows | HIGH | 7.3 |
Technical Summary
The vulnerability arises due to Windows 11’s “Mobile devices” functionality loading a DLL from a user-writable location without verifying its signature. This enables unprivileged users to replace the DLL with a malicious proxy that executes with elevated privileges.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-24076 | Windows 11 Version 22H2, 22H3, 23H2, 24H2. | Exploits a race condition in the “Mobile devices” feature via DLL hijacking. The system process loads CrossDevice.Streaming.Source.dll from a user-writable directory (%PROGRAMDATA%\CrossDevice\), allowing privilege escalation when replaced with a malicious DLL. Attackers used Opportunistic Locks and API hooking (via Detours) to reliably exploit the narrow timing window. | Allows SYSTEM-level privilege escalation |
| CVE-2025-24994 | Windows 11 Version 22H2, 22H3, 23H2, 24H2 | Involves a similar DLL hijacking flaw in a user-to-user context. A user-level process loads a DLL without signature validation, allowing a malicious DLL to be executed under another user’s context. This vector is less severe but still exploitable. | Allows user-to-user privilege escalation |
Remediation:
Conclusion:
The discovered DLL hijacking vulnerabilities in Windows 11’s “Mobile devices” feature demonstrate how legacy attack techniques remain potent when integrated into new OS functionalities.
The presence of a working Proof-of-Concept (PoC) reinforces the practical risk posed by these flaws. Organizations should immediately apply the March 2025 security updates and consider employing EDR solutions to monitor for related behavior. Continued vigilance and file access control hardening remain essential in defending against such privilege escalation attacks.
While CVE-2025-24076 enables SYSTEM-level access but CVE-2025-24994 arises from a related user-level process failing to validate DLLs.
This opens the door to user-to-user attacks, though its impact is far less severe compared to its SYSTEM-targeting sibling.
References:
Summary of Microsoft April Patch Tuesday
Microsoft released April 2025 Patch Tuesday, addressed 135 security vulnerabilities, including a critical zero-day vulnerability (CVE-2025-29824) already being actively exploited.
Microsoft April Patch Tuesday is released every month on priority basis so that organization can address the vulnerabilities as advised by security analysts
| OEM | Microsoft |
| Severity | Critical |
| Date of Announcement | 2025-04-08 |
| No. of Vulnerabilities Patched | 135 |
| Actively Exploited | Yes |
| Exploited in Wild | Yes |
| Advisory Version | 1.0 |
Overview
Key updates focus on core Windows components like the CLFS driver, Windows Kernel, and multiple remote code execution (RCE) vulnerabilities across many services including Remote Desktop Gateway, LDap, and TCP/IP.
The update addresses both Microsoft and non-Microsoft vulnerabilities, with a significant emphasis on fixing issues that allow attackers to elevate privileges, execute remote code, or bypass security features.
On a similar note publication of 11 critical remote code execution (RCE) vulnerabilities. 13 browser vulnerabilities have already been published separately this month, and are not included in the total.
| Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
| Microsoft Windows CLFS Driver Use-After-Free Vulnerability [zero-day vulnerability] | CVE-2025-29824 | Windows | High | 7.8 |
| Remote Desktop Gateway Service RCE Vulnerability | CVE-2025-27480 CVE-2025-27482 | Windows | High | 8.1 |
| LDAP Service RCE Vulnerability | CVE-2025-26663 | Windows | High | 8.1 |
| LDAP Client RCE Vulnerability | CVE-2025-26670 | Windows | High | 8.1 |
Technical Summary
The April 2025 update fixes several high-severity vulnerabilities in Microsoft products, here are some vulnerabilities details:
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-29824 | Windows 10/11, Windows Server | An elevation of privilege vulnerability in the Windows Kernel caused by improper object access. Attackers with local access could exploit this to gain SYSTEM privileges. | Elevation of Privilege |
| CVE-2025-27480 CVE-2025-27482 | Windows RDS | Race condition in Remote Desktop Gateway; triggers use-after-free allowing code execution | Remote Code Execution |
| CVE-2025-26663 | Windows LDAP | Crafted LDAP call causes use-after-free, leading to arbitrary code execution | Remote Code Execution |
| CVE-2025-26670 | Windows TCP/IP | Memory mismanagement during DHCPv6 handling, complex exploit chain. | Remote Code Execution |
Source: Microsoft & NVD
In addition to the actively exploited vulnerabilities, several other Vulnerabilities were also addressed:
These vulnerabilities allow attackers to execute arbitrary code remotely by exploiting use-after-free conditions when opening malicious Office files, potentially leading to system compromise.
An attacker could bypass security features via improper neutralization in the Microsoft Management Console, leading to remote code execution and potential full system compromise.
This vulnerability allows local attackers to exploit improper logging in NTFS, potentially granting unauthorized access to sensitive memory areas, which could lead to arbitrary code execution.
Memory mismanagement during DHCPv6 handling could allow remote attackers to execute arbitrary code, requiring a complex exploit chain to be effective.
This vulnerability can be exploited by guest users through social engineering, enabling remote code execution on the host system, with a high complexity for successful exploitation.
Remediation:
General Recommendations:
“Microsoft highly recommends that organizations prioritize applying security updates for elevation of privilege vulnerabilities to add a layer of defense against ransomware attacks if threat actors are able to gain an initial foothold,” the company said in a blog post.
Conclusion:
The April 2025 Patch Tuesday release underscores the critical need for timely patching of Microsoft systems to protect against actively exploited vulnerabilities, including a zero-day privilege escalation flaw.
Microsoft has addressed multiple high-severity vulnerabilities, many of which could result in remote code execution, unauthorized system access, or privilege escalation.
IT teams and users are urged to promptly install the security updates and implement recommended security controls to mitigate these risks. As these vulnerabilities are actively exploited, immediate action is crucial to safeguarding systems from potential compromise.
References:
Summary
Be careful when you open that file in whatapp, it might have that spoofing flaw allowing Arbitrary Code Execution (CVE-2025-30401) and affects all versions of WhatsApp Desktop for Windows prior to 2.2450.6, and stems from a bug .
Overview
The vulnerability has been fixed in version 2.2450.6. WhatsApp has and will always be an attractive field for attackers and this particular bug does require user interaction – the victim has to manually open the malicious attachment for the payload to run.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Spoofing Vulnerability | CVE-2025-30401 | WhatsApp Desktop for Windows | Medium | 2.2450.6 |
Technical Summary
The vulnerability results from WhatsApp for Windows’s different handling of attachments. It opens files depending on their filename extension while displaying files based on their MIME type. This mismatch allows attackers to spoof file types and trick users into launching malicious executables.
Example Scenario:
An attacker sends a file named cat.jpg.exe with a MIME type of image/jpeg. WhatsApp displays the file as an image (because of the MIME type), misleading the user. If the user manually opens the attachment from within WhatsApp, Windows uses the .exe extension to execute the file — potentially launching malicious code.
This form of UI spoofing can be especially effective in group chats, where malicious attachments may be distributed widely and appear harmless.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-30401 | WhatsApp Desktop for Windows (<2.2450.6) | MIME type used for display, but file extension used for execution. A mismatch between the two could allow a file to appear harmless (e.g., image), while actually being executable (e.g., .exe). | Remote Arbitrary code execution |
Remediation:
Conclusion:
CVE-2025-30401 is a key example of how inconsistent file processing in the user interface can result in serious security threats. Attackers can create misleading payloads that can run arbitrary code by taking advantage of users’ faith in how apps display attachments.
Due to the possibility of remote exploitation, users should update to the latest WhatsApp version 2.2450.6 or later. Patching should be done right away to avoid any compromise.
Be careful when you click attachments.
References:
CVE-2018-8639 is a privilege escalation flaw in the Win32k component of Microsoft Windows that lets attackers run any code in kernel mode. This vulnerability, which was first fixed by Microsoft in December 2018, still poses a risk to unpatched computers.
| OEM | Microsoft |
| Severity | High |
| CVSS | 7.8 |
| CVEs | CVE-2018-8639 |
| Exploited in Wild | Yes |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview on Vulnerability
The vulnerability gives hackers the ability to install persistent malware, get around security measures, and alter system operations covertly. The Cybersecurity and Infrastructure Security Agency (CISA) has included this vulnerability in its Known Exploited Vulnerabilities (KEV) catalog, further highlighting its ongoing threat.
| Vulnerability Name | CVE ID | Product Affected | Severity |
| Privilege Escalation Vulnerability | CVE-2018-8639 | Windows | High |
Technical Summary
The vulnerability exists within the Win32k.sys driver, which handles graphical user interface (GUI) interactions.
Designated as CWE-404: Improper Resource Shutdown or Release, the flaw enables authenticated local attackers to improperly release system resources, leading to privilege escalation. Exploiting this vulnerability grants kernel-mode execution rights, allowing attackers to bypass security mechanisms, install persistent malware, and manipulate system functions without detection.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2018-8639 | Windows 7, 8.1, 10, RT 8.1, Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019 | Improper Resource Shutdown or Release in Win32k.sys driver, enabling privilege escalation. | System compromise, unauthorized access, potential malware persistence |
Remediation:
General Recommendations:
Conclusion:
Unpatched Windows systems are particularly vulnerable, especially in industrial control systems (ICS) and healthcare facilities where obsolete software is ubiquitous. While Microsoft has fixed the issue, firms that rely on legacy systems must implement additional security measures. Cyber adversaries are always refining their exploitation techniques, making proactive security strategies critical to reducing risk.
References:
Summary
Microsoft’s February 2025 Patch Tuesday addresses multiple security vulnerabilities, including four zero-days, with two actively exploited in the wild. This update covers a total of 67 security flaws, with three classified as critical Remote Code Execution (RCE) vulnerabilities.
Microsoft issued a revision for an older zero-day that threatens the latest Windows desktop and server versions.
| OEM | Microsoft |
| Severity | Critical |
| Date of Announcement | 2025-02-11 |
| No. of Vulnerabilities Patched | 67 |
| Actively Exploited | Yes |
| Exploited in Wild | Yes |
| Advisory Version | 1.0 |
Overview
The affected products include Windows, Microsoft Office, Microsoft Surface, and various network services. Organizations are strongly advised to apply these patches immediately to mitigate security risks and potential cyberattacks.
The highlighted vulnerabilities include 4 zero-day flaws, 2 of which are currently being actively exploited.
| Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
| Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | CVE-2025-21418 | Windows | High | 7.8 |
| Windows Storage Elevation of Privilege Vulnerability | CVE-2025-21391 | Windows | High | 7.1 |
| Microsoft Surface Security Feature Bypass Vulnerability | CVE-2025-21194 | Windows | High | 7.1 |
| NTLM Hash Disclosure Spoofing Vulnerability | CVE-2025-21377 | Windows | Medium | 6.5 |
Technical Summary
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-21418 | Windows server and Windows 10 & 11 | Windows ancillary function driver for winsock elevation of privilege vulnerability enables attackers to escalate privileges to SYSTEM level. Specific exploitation details are not disclosed. | Unauthorized access with SYSTEM privileges. |
| CVE-2025-21391 | Windows server and Windows 10 & 11 | Windows storage elevation of privilege vulnerability allows attackers to delete targeted files on a system, potentially leading to service unavailability. Does not expose confidential data. | Deletion of critical data, leading to service disruption. |
| CVE-2025-21194 | Microsoft Surface | Microsoft surface security feature bypass vulnerability allows attackers to bypass UEFI protections, compromising the secure kernel. Likely related to “PixieFail” vulnerabilities affecting the IPv6 network stack in Tianocore’s EDK II firmware. | Bypass of security features, potentially compromising system integrity. |
| CVE-2025-21377 | Windows server and Windows 10 & 11 | NTLM hash disclosure spoofing vulnerability exposes NTLM hashes when a user interacts with a malicious file. Simply selecting or right-clicking a file could trigger a remote connection, allowing an attacker to capture NTLM hashes for cracking or pass-the-hash attacks. | Potential for attackers to authenticate as the user, leading to unauthorized access. |
Source: Microsoft
In addition to the actively exploited vulnerabilities, several other critical flaws were also addressed:
Remediation:
Conclusion:
The February 2025 Patch Tuesday release addresses critical security vulnerabilities, including actively exploited zero-days. Timely application of these updates is essential to protect systems from potential threats. Organizations should review the affected products and implement the necessary patches and mitigations to maintain security integrity.
The attack vector is local, meaning the attacker needs local access — physically or remotely, using SSH method without user interaction and if successful in exploiting, can give the attacker system privileges.
References:
Recent Comments