After the HUGE updates that were dropped by Microsoft in December and January, February has brought with it a smaller update in comparison - perhaps to match the shortest month!
This month, Microsoft has released updates for just 63 vulnerabilities, including 4 zero day vulnerabilities of which 2 are being actively exploited. Find the full release from Microsoft here.
2 of the 4 zero day vulnerabilities are being actively exploited in the wild.
CVE-2025-21391: Windows Storage Elevation of Privilege Vulnerability
CVE-2025-21418: Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
CVE-2025-21194: Microsoft Surface Security Feature Bypass Vulnerability
CVE-2025-21377: NTLM Hash Disclosure Spoofing Vulnerability
Alongside the 4 zero-day vulnerabilities released, there are 3 RCE Critical vulnerabilities that need to be addressed:
CVE-2025-21177: Microsoft Dynamics 365 Sales Elevation of Privilege Vulnerability
Description: This vulnerability allows an authenticated attacker to elevate privileges within the Microsoft Dynamics 365 Sales environment. The attacker can exploit this flaw to gain unauthorized access and perform actions beyond their intended permissions.
CVSS Score: 8.7 (High)
Severity: Critical
Exploitation Status: Not currently exploited in the wild.
CVE-2025-21376: Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability
Description: This vulnerability allows a remote, unauthenticated attacker to execute arbitrary code on an affected system by sending a specially crafted request to the LDAP server. Successful exploitation could lead to full system compromise.
CVSS Score: 8.1 (High)
Severity: Critical
CVE-2025-21381: Microsoft Excel Remote Code Execution Vulnerability
Description: This vulnerability allows an attacker to execute arbitrary code on a target system by convincing a user to open a specially crafted Excel file. The attack can be initiated through the Preview Pane, making it possible to exploit without fully opening the file.
CVSS Score: 7.8 (High)
Severity: Critical
CVE-2025-21379: DHCP Client Service Remote Code Execution Vulnerability
Description: This vulnerability allows an attacker to execute arbitrary code on a target system by sending specially crafted DHCP responses. Exploitation requires the attacker to be on the same network segment as the victim, making it an adjacent network attack.
CVSS Score: 7.1 (High)
Severity: Critical
CVE-2025-21391 (Windows Storage EoP) and CVE-2025-21418 (WinSock EoP) are actively exploited.
Deploy Microsoft’s security patches immediately to prevent potential privilege escalation and targeted attacks.
Verify patch application through endpoint and vulnerability management tools.
The three critical vulnerabilities (CVE-2025-21376, CVE-2025-21381, and CVE-2025-21379) pose significant risks for remote exploitation.
Prioritize patching systems running Microsoft Excel, Windows LDAP, and DHCP Client Service.
Assess exposure, especially for publicly accessible services.
CVE-2025-21377 (NTLM Hash Disclosure Spoofing) allows attackers to obtain user credentials.
Enforce NTLM relay protection and use stronger authentication methods like Kerberos.
Educate users on avoiding interactions with suspicious files or links.
CVE-2025-21194 allows attackers to bypass security features in Microsoft Surface devices.
Implement UEFI firmware updates and enforce security best practices for device hardening.
Review system logs for unusual activity related to privilege escalation or unauthorized access attempts.
Monitor for unusual DHCP, LDAP, and NTLM authentication requests, as these could indicate exploitation attempts.
Utilize SIEM solutions to correlate events and detect indicators of compromise (IOCs).
Did you know? You can use the RoboShadow platform to check your Windows Updates as well as patch any outstanding software updates using Cyber Heal.
If you have any questions about Patch Tuesday, or feedback on this blog please
reach out to us: hello@roboshadow.com
Thanks for reading!