Report Name: Microsoft Patch Tuesday, February 2025
Generated: 2025-02-12 14:17:03

Product Name	Prevalence	U	C	H	M	L	A	Comment
Windows Kernel	0.9			1			1	Windows Kernel
Windows NTLM	0.9			1			1	A suite of security protocols to authenticate users' identity and protect the integrity and confidentiality of their activity
Chromium	0.8			6	14		20	Chromium is a free and open-source web browser project, mainly developed and maintained by Google
Microsoft Edge	0.8			5	2		7	Web browser
Microsoft Office	0.8			2			2	Microsoft Office is a suite of applications designed to help with productivity and completing common tasks on a computer
Windows Active Directory Domain Services API	0.8				1		1	Windows component
Windows Ancillary Function Driver for WinSock	0.8		1				1	Windows component
Windows Core Messaging	0.8				3		3	Windows component
Windows Deployment Services	0.8				1		1	Windows component
Windows Disk Cleanup Tool	0.8				1		1	Windows component
Windows Installer	0.8				1		1	Windows component
Windows Kerberos	0.8				1		1	Windows component
Windows Lightweight Directory Access Protocol (LDAP)	0.8			1			1	Windows component
Windows NTFS	0.8				1		1	The default file system of the Windows NT family
Windows Remote Desktop Configuration Service	0.8				1		1	Windows component
Windows Resilient File System (ReFS) Deduplication Service	0.8				2		2	Windows component
Windows Routing and Remote Access Service (RRAS)	0.8			2			2	Windows component
Windows Secure Kernel Mode	0.8			1			1	Windows component
Windows Setup Files Cleanup	0.8			1			1	Windows component
Windows Storage	0.8		1				1	Windows component
Windows Telephony Server	0.8			1			1	Windows component
Windows Telephony Service	0.8			5			5	Windows component
Windows Win32 Kernel Subsystem	0.8				1		1	Windows component
Microsoft Excel	0.6				6		6	MS Office product
Microsoft Outlook	0.6				1		1	Microsoft Outlook is a personal information manager software system from Microsoft, available as a part of the Microsoft 365 software suites
Azure Network Watcher VM Extension	0.5				1		1	Azure Network Watcher VM Extension
DHCP Client Service	0.5				2		2	DHCP Client Service
HackerOne: CVE-2023-32002 Node.js `Module._load()` policy	0.5			1			1	HackerOne: CVE-2023-32002 Node.js `Module._load()` policy
Internet Connection Sharing (ICS)	0.5				4		4	Internet Connection Sharing (ICS)
Kernel Streaming WOW Thunk Service Driver	0.5				1		1	Kernel Streaming WOW Thunk Service Driver
Microsoft AutoUpdate (MAU)	0.5				1		1	Microsoft AutoUpdate (MAU)
Microsoft Digest Authentication	0.5				2		2	Microsoft Digest Authentication
Microsoft Dynamics 365	0.5				1		1	Microsoft Dynamics 365 is a product line of enterprise resource planning (ERP) and customer relationship management (CRM) intelligent business applications
Microsoft Edge (Chromium-based) Update	0.5				1		1	Microsoft Edge (Chromium-based) Update
Microsoft Edge for IOS and Android	0.5				1		1	Microsoft Edge for IOS and Android
Microsoft High Performance Compute (HPC) Pack	0.5				1		1	Microsoft High Performance Compute (HPC) Pack
Microsoft Message Queuing (MSMQ)	0.5				1		1	Microsoft Message Queuing (MSMQ)
Microsoft PC Manager	0.5				1		1	Microsoft PC Manager
Microsoft SharePoint Server	0.5				1		1	Microsoft SharePoint Server
Microsoft Surface	0.5				1		1	Microsoft Surface
Visual Studio Code JS Debug Extension	0.5				1		1	Visual Studio Code JS Debug Extension
account	0.5			1			1	Product detected by a:microsoft:account (does NOT exist in CPE dict)
Azure	0.4			1			1	Azure
Visual Studio Code	0.3				1		1	Integrated development environment
Visual Studio Installer	0.3				1		1	Integrated development environment

Vulnerability Type	Criticality	U	C	H	M	L	A
Remote Code Execution	1.0			16	10		26
Authentication Bypass	0.98			5	1		6
Command Injection	0.97				1		1
Security Feature Bypass	0.9			2	1		3
Elevation of Privilege	0.85		2	5	17		24
Information Disclosure	0.83				1		1
Cross Site Scripting	0.8				5		5
Denial of Service	0.7				9		9
Memory Corruption	0.5				6		6
Spoofing	0.4			1	6		7
Tampering	0.3				1		1

Source	U	C	H	M	L	A
MS PT Extended			14	19		33
Qualys		2	3	9		14
Tenable		2	2	5		9
Rapid7		2	2	3		7
ZDI		2	1	2		5

Urgent (0)

Critical (2)

1. Elevation of Privilege - Windows Ancillary Function Driver for WinSock (CVE-2025-21418) - Critical [716]

Description: Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

Qualys: CVE-2025-21418: Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability The Windows Ancillary Function Driver for WinSock is a core Windows system driver. This is a crucial component in the network communication process. The driver provides a low-level functionality to the WinSock API, allowing applications to interact with network sockets. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CISA added the CVE-2025-21418 to its Known Exploited Vulnerabilities Catalog and requested users to patch it before March 4, 2025.

Tenable: Microsoft’s February 2025 Patch Tuesday Addresses 55 CVEs (CVE-2025-21418, CVE-2025-21391)

Tenable: CVE-2025-21418 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

Tenable: CVE-2025-21418 is an EoP vulnerability in the Ancillary Function Driver for WinSock for Microsoft Windows. It was assigned a CVSSv3 score of 7.8 and is rated important. A local, authenticated attacker could exploit this vulnerability to elevate to SYSTEM level privileges.

Rapid7: All versions of Windows receive patches today for CVE-2025-21418, a heap-based buffer overflow in the Windows Ancillary Function Driver (AFD). Successful exploitation leads to SYSTEM privileges. The AFD has been around for decades; it handles foundational networking functionality, so it is necessarily a kernel driver which interacts with a great deal of user-supplied input. It is perhaps not very shocking that AFD has been the site of a significant number of problems over the years: specifically, elevation of privilege (EoP) vulnerabilities. Microsoft is aware of existing exploitation in the wild, and with low attack complexity, low privilege requirements, and no requirement for user interaction, CVE-2025-21418 is one to prioritize for patching. The relatively low CVSSv3 base score of 7.8 and severity rating of Important may appear relatively mild; however, broad similarities exist between this vuln and CVE-2024-38193, which Rapid7 flagged as ripe for malware abuse on the day it was published, and which has subsequently been linked to exploitation by North Korean state-associated threat actor tracked as Lazarus.

ZDI: CVE-2025-21418 - Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability. This is the other bug being actively exploited, but it’s a more traditional privilege escalation than the other one. In this case, an authenticated user would need to run a specially-crafted program that ends up executing code with SYSTEM privileges. That’s why these types of bugs are usually paired with a code execution bug to take over a system. Microsoft doesn’t provide any information on how widespread these attacks are, but regardless of how targeted the attacks may be, I would test and deploy these patches quickly.

ZDI: CVE-2025-21418 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability. Indicates this CVE had been released by a third party and is now being included in Microsoft releases.

2. Elevation of Privilege - Windows Storage (CVE-2025-21391) - Critical [704]

Description: Windows Storage Elevation of Privilege Vulnerability

Qualys: CVE-2025-21391: Windows Storage Elevation of Privilege Vulnerability Windows Storage is a feature of Windows operating systems that manages how data is stored on a computer. It includes Storage Spaces, which combine physical and virtual disks to improve performance and protect data. The vulnerability does not allow an attacker to disclose any confidential information. The vulnerability may allow an attacker to delete data, which could lead to the service’s unavailability. CISA added the CVE-2025-21391 to its Known Exploited Vulnerabilities Catalog and requested users to patch it before March 4, 2025.

Tenable: Microsoft’s February 2025 Patch Tuesday Addresses 55 CVEs (CVE-2025-21418, CVE-2025-21391)

Tenable: CVE-2025-21391 | Windows Storage Elevation of Privilege Vulnerability

Tenable: CVE-2025-21391 is an EoP vulnerability in Windows Storage. It was assigned a CVSSv3 score of 7.1 and is rated important. A local, authenticated attacker could exploit this vulnerability to delete files from a system. According to Microsoft, this vulnerability does not disclose confidential information to an attacker, rather, it only provides them with the capability to delete data, which may include data that could result in service disruption.

Rapid7: Ever wanted to delete a file on a Windows box, but pesky permissions prevented you from achieving your goal? CVE-2025-21391 might be just what you need: an elevation of privilege (EoP) vulnerability in the Windows Storage service for which Microsoft is aware of exploitation in the wild. No user interaction is required, and attack complexity is low, and the weakness is given as “CWE-59: Improper Link Resolution Before File Access” but what are attackers hoping to achieve here? Although the advisory provides scant detail, and even offers some vague reassurance that “an attacker would only be able to delete targeted files on a system”, it would be a mistake to assume that the impact of deleting arbitrary files would be limited to data loss or denial of service. As long ago as 2022, ZDI researchers set out how a motivated attacker could parlay arbitrary file deletion into full SYSTEM access using techniques which also involve creative misuse of symbolic links.

ZDI: CVE-2025-21391 - Windows Storage Elevation of Privilege Vulnerability. This is one of the bugs being exploited in the wild receiving a patch in this month’s release, and it’s a type of bug we haven’t seen exploited publicly. The vulnerability allows an attacker to delete targeted files. How does this lead to privilege escalation? My colleague Simon Zuckerbraun details the technique here. While we’ve seen similar issues in the past, this does appear to be the first time the technique has been exploited in the wild. It’s also likely paired with a code execution bug to completely take over a system. Test and deploy this quickly.

High (29)

3. Remote Code Execution - Microsoft Edge (CVE-2025-21279) - High [523]

Description: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

MS PT Extended: CVE-2025-21279 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

4. Remote Code Execution - Microsoft Edge (CVE-2025-21283) - High [523]

Description: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

MS PT Extended: CVE-2025-21283 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

5. Authentication Bypass - Azure (CVE-2025-21415) - High [489]

Description: Authentication bypass by spoofing in Azure AI Face Service allows an authorized attacker to elevate privileges over a network.

MS PT Extended: CVE-2025-21415 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

6. Elevation of Privilege - Windows Setup Files Cleanup (CVE-2025-21419) - High [489]

Description: Windows Setup Files Cleanup Elevation of Privilege Vulnerability

Qualys: Other Microsoft Vulnerability Highlights CVE-2025-21358 is an elevation of privilege vulnerability in Windows Core Messaging. Upon successful exploitation, an attacker may gain SYSTEM privileges. CVE-2025-21184 & CVE-2025-21414 are elevations of privilege vulnerability in Windows Core Messaging. An attacker must gather information specific to the environment and take additional actions before exploitation to prepare the target environment for successful exploitation. Upon successful exploitation, an attacker may gain SYSTEM privileges. CVE-2025-21420 is an elevation of privilege vulnerability in the Windows Disk Cleanup Tool. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2025-21400 is a remote code execution vulnerability in Microsoft SharePoint Server. In a network-based attack, an authenticated attacker, with Site Owner permission, could write arbitrary code to inject and execute code on the SharePoint Server. CVE-2025-21419 is an elevation of privilege vulnerability in Windows Setup Files Cleanup. An attacker who exploits the vulnerability may delete targeted files on a system. CVE-2025-21367 is an elevation of privilege vulnerability in the Windows Win32 Kernel Subsystem. Upon successful exploitation, an attacker may gain SYSTEM privileges.

7. Remote Code Execution - Microsoft Edge (CVE-2025-21342) - High [466]

Description: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

MS PT Extended: CVE-2025-21342 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

8. Remote Code Execution - Microsoft Edge (CVE-2025-21408) - High [466]

Description: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

MS PT Extended: CVE-2025-21408 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

9. Remote Code Execution - HackerOne: CVE-2023-32002 Node.js `Module._load()` policy (CVE-2023-32002) - High [452]

Description: HackerOne: CVE-2023-32002 Node.js `Module._load()` policy Remote Code Execution Vulnerability

10. Spoofing - Windows NTLM (CVE-2025-21377) - High [426]

Description: NTLM Hash Disclosure Spoofing Vulnerability

Qualys: CVE-2025-21377: NTLM Hash Disclosure Spoofing Vulnerability An NTLM hash is a cryptographic representation of a user’s password stored on Windows systems. It is a vital part of the process used to authenticate a user on Windows systems. An attacker may exploit the vulnerability to disclose a user’s NTLMv2 hash. Upon successful exploitation, an attacker may authenticate as the user.

Tenable: CVE-2025-21377 | NTLM Hash Disclosure Spoofing Vulnerability

Tenable: CVE-2025-21377 is a New Technology LAN Manager (NTLM) Hash disclosure spoofing vulnerability that was publicly disclosed prior to a patch being made available. Despite the medium severity CVSSv3 score of 6.5, Microsoft assesses this vulnerability as “Exploitation More Likely.” Successful exploitation requires an attacker to convince a user to interact with a malicious file, such as inspecting the file or “performing an action other than opening or executing the file.” Exploitation would allow an attacker to obtain a user's NTLMv2 hash, which could then be used to authenticate as that user.

Rapid7: It’s almost surprising when any particular Patch Tuesday doesn’t involve plugging one or two holes through which NTLM hashes can leak. CVE-2025-21377 describes an NTLMv2 hash disclosure vulnerability where exploitation ultimately results in the attacker gaining the ability to authenticate as the targeted user. Minimal user interaction with a malicious file is required, including selecting, inspecting, or “performing an action other than opening or executing the file.” This trademark linguistic ducking and weaving may be Microsoft’s way of saying “if we told you any more, we’d give the game away.” Accordingly, Microsoft assesses exploitation as more likely. The advisory acknowledges researchers from 0patch by ACROS Security — who also reported last month’s NTLM hash disclosure zero-day vuln CVE-2025-21308 — as well as others from Securify and Cathay Pacific; this might be the first instance of an airline receiving credit for reporting a Microsoft zero-day vulnerability.

11. Remote Code Execution - Windows Routing and Remote Access Service (RRAS) (CVE-2025-21208) - High [419]

Description: Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

12. Remote Code Execution - Windows Routing and Remote Access Service (RRAS) (CVE-2025-21410) - High [419]

Description: Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

13. Remote Code Execution - Windows Telephony Server (CVE-2025-21201) - High [419]

Description: Windows Telephony Server Remote Code Execution Vulnerability

14. Remote Code Execution - Windows Telephony Service (CVE-2025-21190) - High [419]

Description: Windows Telephony Service Remote Code Execution Vulnerability

15. Remote Code Execution - Windows Telephony Service (CVE-2025-21200) - High [419]

Description: Windows Telephony Service Remote Code Execution Vulnerability

16. Remote Code Execution - Windows Telephony Service (CVE-2025-21371) - High [419]

Description: Windows Telephony Service Remote Code Execution Vulnerability

17. Remote Code Execution - Windows Telephony Service (CVE-2025-21406) - High [419]

Description: Windows Telephony Service Remote Code Execution Vulnerability

18. Remote Code Execution - Windows Telephony Service (CVE-2025-21407) - High [419]

Description: Windows Telephony Service Remote Code Execution Vulnerability

19. Elevation of Privilege - Microsoft Edge (CVE-2025-21185) - High [416]

Description: Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability

MS PT Extended: CVE-2025-21185 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

20. Elevation of Privilege - account (CVE-2025-21396) - High [413]

Description: {'ms_cve_data_all': 'Microsoft Account Elevation of Privilege Vulnerability. Missing authorization in Microsoft Account allows an unauthorized attacker to elevate privileges over a network.\n', 'nvd_cve_data_all': 'Missing authorization in Microsoft Account allows an unauthorized attacker to elevate privileges over a network.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Missing authorization in Microsoft Account allows an unauthorized attacker to elevate privileges over a network.', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

MS PT Extended: CVE-2025-21396 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

21. Security Feature Bypass - Chromium (CVE-2025-0443) - High [413]

Description: Chromium: CVE-2025-0443 Insufficient data validation in Extensions. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2025-0443 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

22. Remote Code Execution - Microsoft Office (CVE-2025-21392) - High [407]

Description: Microsoft Office Remote Code Execution Vulnerability

23. Remote Code Execution - Microsoft Office (CVE-2025-21397) - High [407]

Description: Microsoft Office Remote Code Execution Vulnerability

24. Remote Code Execution - Windows Lightweight Directory Access Protocol (LDAP) (CVE-2025-21376) - High [407]

Description: Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability

Qualys: CVE-2025-21376: Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability Windows Lightweight Directory Access Protocol (LDAP) is a standard network protocol that allows users to access and manage information within a directory service. The protocol provides a way to centrally store and manage user information across a network, often used for authentication and single sign-on (SSO) purposes within a company. An attacker must win a race condition to exploit the vulnerability successfully. An unauthenticated attacker could exploit the vulnerability by sending a specially crafted request to a vulnerable LDAP server. Successful exploitation may lead to a buffer overflow, which could be leveraged to execute remote code.

Tenable: CVE-2025-21376 | Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability

Tenable: CVE-2025-21376 is a critical RCE vulnerability affecting Windows Lightweight Directory Access Protocol (LDAP). This vulnerability was assigned a CVSSv3 score of 8.1, rated as critical and assessed as “Exploitation More Likely" according to Microsoft. Successful exploitation requires winning a race condition via a specially crafted request necessary to exploit a buffer overflow. If successful, the attacker could achieve RCE on an affected host.

Rapid7: Any security advisory which lists multiple weakness types typically describes a complex vulnerability, and Windows LDAP critical remote code execution (RCE) CVE-2025-21376 is no exception. Successful exploitation requires an attacker to navigate multiple challenges, including winning a race condition. The prize: code execution on the Windows LDAP server. Although Microsoft seldom specifies the privilege level of code execution on LDAP server vulnerabilities, Rapid7 has noted previously that the LDAP service runs in a SYSTEM context, and that is the only safe assumption. All versions of Windows receive a patch.

ZDI: CVE-2025-21376 - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability. This vulnerability allows a remote, unauthenticated attacker to run their code on an affected system simply by sending a maliciously crafted request to the target. Since there’s no user interaction involved, that makes this bug wormable between affected LDAP servers. Microsoft lists this as “Exploitation Likely”, so even though this may be unlikely, I would treat this as an impending exploitation. Test and deploy the patch quickly.

25. Security Feature Bypass - Windows Kernel (CVE-2025-21359) - High [405]

Description: Windows Kernel Security Feature Bypass Vulnerability

26. Elevation of Privilege - Chromium (CVE-2025-0447) - High [404]

Description: Inappropriate implementation in Navigation in Google Chrome prior to 132.0.6834.83 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Low)

MS PT Extended: CVE-2025-0447 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

27. Elevation of Privilege - Windows Secure Kernel Mode (CVE-2025-21325) - High [404]

Description: Windows Secure Kernel Mode Elevation of Privilege Vulnerability

MS PT Extended: CVE-2025-21325 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

28. Authentication Bypass - Chromium (CVE-2025-0435) - High [403]

Description: Inappropriate implementation in Navigation in Google Chrome on Android prior to 132.0.6834.83 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: High)

MS PT Extended: CVE-2025-0435 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

29. Authentication Bypass - Chromium (CVE-2025-0439) - High [403]

Description: Race in Frames in Google Chrome prior to 132.0.6834.83 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

MS PT Extended: CVE-2025-0439 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

30. Authentication Bypass - Chromium (CVE-2025-0440) - High [403]

Description: Inappropriate implementation in Fullscreen in Google Chrome on Windows prior to 132.0.6834.83 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

MS PT Extended: CVE-2025-0440 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

31. Authentication Bypass - Chromium (CVE-2025-0442) - High [403]

Description: Inappropriate implementation in Payments in Google Chrome prior to 132.0.6834.83 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

MS PT Extended: CVE-2025-0442 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

Medium (58)

32. Cross Site Scripting - Chromium (CVE-2025-0434) - Medium [395]

Description: Out of bounds memory access in V8 in Google Chrome prior to 132.0.6834.83 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

MS PT Extended: CVE-2025-0434 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

33. Cross Site Scripting - Chromium (CVE-2025-0436) - Medium [395]

Description: Integer overflow in Skia in Google Chrome prior to 132.0.6834.83 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

MS PT Extended: CVE-2025-0436 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

34. Cross Site Scripting - Chromium (CVE-2025-0438) - Medium [395]

Description: Stack buffer overflow in Tracing in Google Chrome prior to 132.0.6834.83 allowed a remote attacker to potentially exploit stack corruption via a crafted HTML page. (Chromium security severity: High)

MS PT Extended: CVE-2025-0438 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

35. Command Injection - Microsoft Dynamics 365 (CVE-2025-21177) - Medium [387]

Description: Microsoft Dynamics 365 Sales Elevation of Privilege Vulnerability. Server-Side Request Forgery (SSRF) in Microsoft Dynamics 365 Sales allows an authorized attacker to elevate privileges over a network.

MS PT Extended: CVE-2025-21177 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

36. Elevation of Privilege - Windows Core Messaging (CVE-2025-21358) - Medium [380]

Description: Windows Core Messaging Elevation of Privileges Vulnerability

Qualys: Other Microsoft Vulnerability Highlights CVE-2025-21358 is an elevation of privilege vulnerability in Windows Core Messaging. Upon successful exploitation, an attacker may gain SYSTEM privileges. CVE-2025-21184 & CVE-2025-21414 are elevations of privilege vulnerability in Windows Core Messaging. An attacker must gather information specific to the environment and take additional actions before exploitation to prepare the target environment for successful exploitation. Upon successful exploitation, an attacker may gain SYSTEM privileges. CVE-2025-21420 is an elevation of privilege vulnerability in the Windows Disk Cleanup Tool. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2025-21400 is a remote code execution vulnerability in Microsoft SharePoint Server. In a network-based attack, an authenticated attacker, with Site Owner permission, could write arbitrary code to inject and execute code on the SharePoint Server. CVE-2025-21419 is an elevation of privilege vulnerability in Windows Setup Files Cleanup. An attacker who exploits the vulnerability may delete targeted files on a system. CVE-2025-21367 is an elevation of privilege vulnerability in the Windows Win32 Kernel Subsystem. Upon successful exploitation, an attacker may gain SYSTEM privileges.

Tenable: CVE-2025-21184, CVE-2025-21358 and CVE-2025-21414 | Windows Core Messaging Elevation of Privileges Vulnerability

Tenable: CVE-2025-21184, CVE-2025-21358 and CVE-2025-21414 are EoP vulnerabilities affecting Windows Core Messaging. Two of the three vulnerabilities were assigned CVSSv3 scores of 7.0, while CVE-2025-21358 was assigned a CVSSv3 score of 7.8. Exploitation of these flaws could allow an attacker to elevate their privileges to SYSTEM.

37. Elevation of Privilege - Windows Disk Cleanup Tool (CVE-2025-21420) - Medium [380]

Description: Windows Disk Cleanup Tool Elevation of Privilege Vulnerability

Qualys: Other Microsoft Vulnerability Highlights CVE-2025-21358 is an elevation of privilege vulnerability in Windows Core Messaging. Upon successful exploitation, an attacker may gain SYSTEM privileges. CVE-2025-21184 & CVE-2025-21414 are elevations of privilege vulnerability in Windows Core Messaging. An attacker must gather information specific to the environment and take additional actions before exploitation to prepare the target environment for successful exploitation. Upon successful exploitation, an attacker may gain SYSTEM privileges. CVE-2025-21420 is an elevation of privilege vulnerability in the Windows Disk Cleanup Tool. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2025-21400 is a remote code execution vulnerability in Microsoft SharePoint Server. In a network-based attack, an authenticated attacker, with Site Owner permission, could write arbitrary code to inject and execute code on the SharePoint Server. CVE-2025-21419 is an elevation of privilege vulnerability in Windows Setup Files Cleanup. An attacker who exploits the vulnerability may delete targeted files on a system. CVE-2025-21367 is an elevation of privilege vulnerability in the Windows Win32 Kernel Subsystem. Upon successful exploitation, an attacker may gain SYSTEM privileges.

38. Elevation of Privilege - Windows Installer (CVE-2025-21373) - Medium [380]

Description: Windows Installer Elevation of Privilege Vulnerability

ZDI: There are a handful of privilege escalation bugs receiving fixes in this month’s release, and most of these either lead to SYSTEM-level code execution or administrative privileges if an authenticated user runs specially crafted code. One of these was reported by Trend ZDI’s Simon Zuckerbraun. CVE-2025-21373 is a link-following bug. Though the “msiserver” service is protected by the Redirection Guard mitigation, the mitigation can be bypassed if the attacker can mount an NTFS-formatted removable drive such as a USB drive. In this case, a low-privileged user can use this vulnerability to escalate privileges and execute code as SYSTEM.

39. Elevation of Privilege - Windows Win32 Kernel Subsystem (CVE-2025-21367) - Medium [380]

Description: Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability

Qualys: Other Microsoft Vulnerability Highlights CVE-2025-21358 is an elevation of privilege vulnerability in Windows Core Messaging. Upon successful exploitation, an attacker may gain SYSTEM privileges. CVE-2025-21184 & CVE-2025-21414 are elevations of privilege vulnerability in Windows Core Messaging. An attacker must gather information specific to the environment and take additional actions before exploitation to prepare the target environment for successful exploitation. Upon successful exploitation, an attacker may gain SYSTEM privileges. CVE-2025-21420 is an elevation of privilege vulnerability in the Windows Disk Cleanup Tool. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2025-21400 is a remote code execution vulnerability in Microsoft SharePoint Server. In a network-based attack, an authenticated attacker, with Site Owner permission, could write arbitrary code to inject and execute code on the SharePoint Server. CVE-2025-21419 is an elevation of privilege vulnerability in Windows Setup Files Cleanup. An attacker who exploits the vulnerability may delete targeted files on a system. CVE-2025-21367 is an elevation of privilege vulnerability in the Windows Win32 Kernel Subsystem. Upon successful exploitation, an attacker may gain SYSTEM privileges.

40. Remote Code Execution - Microsoft Excel (CVE-2025-21381) - Medium [373]

Description: Microsoft Excel Remote Code Execution Vulnerability

Qualys: CVE-2025-21381: Microsoft Excel Remote Code Execution Vulnerability Microsoft Excel is a spreadsheet program that allows users to create, edit, analyze, and present data. It’s part of the Microsoft Office and Microsoft 365 suites. Successful exploitation of the vulnerability may allow an attacker to achieve remote code execution.

Rapid7: As if spreadsheets weren’t dangerous enough by themselves, today sees publication of CVE-2025-21381, a critical RCE in Excel. As usual for this class of attack, the advisory clarifies that “remote” in this case refers to the location of the attacker, since user interaction is required, and the code execution will be in the context of the user on their local machine. The Preview Pane is an attack vector, so simply glancing at a file or email containing a specially crafted malicious spreadsheet is enough for the attack to succeed, although an attacker could also convince a user to download and open a file from a website, or perhaps simply scatter a few USB sticks in the parking lot.

41. Remote Code Execution - Microsoft Excel (CVE-2025-21386) - Medium [373]

Description: Microsoft Excel Remote Code Execution Vulnerability

42. Remote Code Execution - Microsoft Excel (CVE-2025-21387) - Medium [373]

Description: Microsoft Excel Remote Code Execution Vulnerability

ZDI: CVE-2025-21387 - Microsoft Excel Remote Code Execution Vulnerability. This is one of several Excel fixes where the Preview Pane is an attack vector, which is confusing as Microsoft also notes that user interaction is required. They also note that multiple patches are required to address this vulnerability fully. This likely can be exploited either by opening a malicious Excel file or previewing a malicious attachment in Outlook. Either way, make sure you get all the needed patches tested and deployed.

43. Remote Code Execution - Microsoft Excel (CVE-2025-21390) - Medium [373]

Description: Microsoft Excel Remote Code Execution Vulnerability

44. Remote Code Execution - Microsoft Excel (CVE-2025-21394) - Medium [373]

Description: Microsoft Excel Remote Code Execution Vulnerability

45. Cross Site Scripting - Chromium (CVE-2025-0441) - Medium [371]

Description: Inappropriate implementation in Fenced Frames in Google Chrome prior to 132.0.6834.83 allowed a remote attacker to obtain potentially sensitive information from the system via a crafted HTML page. (Chromium security severity: Medium)

MS PT Extended: CVE-2025-0441 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

46. Remote Code Execution - Microsoft Digest Authentication (CVE-2025-21368) - Medium [369]

Description: Microsoft Digest Authentication Remote Code Execution Vulnerability

47. Remote Code Execution - Microsoft Digest Authentication (CVE-2025-21369) - Medium [369]

Description: Microsoft Digest Authentication Remote Code Execution Vulnerability

48. Remote Code Execution - Microsoft High Performance Compute (HPC) Pack (CVE-2025-21198) - Medium [369]

Description: Microsoft High Performance Compute (HPC) Pack Remote Code Execution Vulnerability

49. Elevation of Privilege - Windows Core Messaging (CVE-2025-21184) - Medium [368]

Description: Windows Core Messaging Elevation of Privileges Vulnerability

Qualys: Other Microsoft Vulnerability Highlights CVE-2025-21358 is an elevation of privilege vulnerability in Windows Core Messaging. Upon successful exploitation, an attacker may gain SYSTEM privileges. CVE-2025-21184 & CVE-2025-21414 are elevations of privilege vulnerability in Windows Core Messaging. An attacker must gather information specific to the environment and take additional actions before exploitation to prepare the target environment for successful exploitation. Upon successful exploitation, an attacker may gain SYSTEM privileges. CVE-2025-21420 is an elevation of privilege vulnerability in the Windows Disk Cleanup Tool. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2025-21400 is a remote code execution vulnerability in Microsoft SharePoint Server. In a network-based attack, an authenticated attacker, with Site Owner permission, could write arbitrary code to inject and execute code on the SharePoint Server. CVE-2025-21419 is an elevation of privilege vulnerability in Windows Setup Files Cleanup. An attacker who exploits the vulnerability may delete targeted files on a system. CVE-2025-21367 is an elevation of privilege vulnerability in the Windows Win32 Kernel Subsystem. Upon successful exploitation, an attacker may gain SYSTEM privileges.

Tenable: CVE-2025-21184, CVE-2025-21358 and CVE-2025-21414 | Windows Core Messaging Elevation of Privileges Vulnerability

Tenable: CVE-2025-21184, CVE-2025-21358 and CVE-2025-21414 are EoP vulnerabilities affecting Windows Core Messaging. Two of the three vulnerabilities were assigned CVSSv3 scores of 7.0, while CVE-2025-21358 was assigned a CVSSv3 score of 7.8. Exploitation of these flaws could allow an attacker to elevate their privileges to SYSTEM.

Tenable: According to Microsoft, exploitation for CVE-2025-21184 and CVE-2025-21414 requires an attacker to gather information about the target as well as take additional measures to prepare a target for exploitation. Despite the differing requirements necessary for exploitation, Microsoft assesses all three of these vulnerabilities as “Exploitation More Likely.”

50. Elevation of Privilege - Windows Core Messaging (CVE-2025-21414) - Medium [368]

Description: Windows Core Messaging Elevation of Privileges Vulnerability

Qualys: Other Microsoft Vulnerability Highlights CVE-2025-21358 is an elevation of privilege vulnerability in Windows Core Messaging. Upon successful exploitation, an attacker may gain SYSTEM privileges. CVE-2025-21184 & CVE-2025-21414 are elevations of privilege vulnerability in Windows Core Messaging. An attacker must gather information specific to the environment and take additional actions before exploitation to prepare the target environment for successful exploitation. Upon successful exploitation, an attacker may gain SYSTEM privileges. CVE-2025-21420 is an elevation of privilege vulnerability in the Windows Disk Cleanup Tool. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2025-21400 is a remote code execution vulnerability in Microsoft SharePoint Server. In a network-based attack, an authenticated attacker, with Site Owner permission, could write arbitrary code to inject and execute code on the SharePoint Server. CVE-2025-21419 is an elevation of privilege vulnerability in Windows Setup Files Cleanup. An attacker who exploits the vulnerability may delete targeted files on a system. CVE-2025-21367 is an elevation of privilege vulnerability in the Windows Win32 Kernel Subsystem. Upon successful exploitation, an attacker may gain SYSTEM privileges.

Tenable: CVE-2025-21184, CVE-2025-21358 and CVE-2025-21414 | Windows Core Messaging Elevation of Privileges Vulnerability

Tenable: CVE-2025-21184, CVE-2025-21358 and CVE-2025-21414 are EoP vulnerabilities affecting Windows Core Messaging. Two of the three vulnerabilities were assigned CVSSv3 scores of 7.0, while CVE-2025-21358 was assigned a CVSSv3 score of 7.8. Exploitation of these flaws could allow an attacker to elevate their privileges to SYSTEM.

Tenable: According to Microsoft, exploitation for CVE-2025-21184 and CVE-2025-21414 requires an attacker to gather information about the target as well as take additional measures to prepare a target for exploitation. Despite the differing requirements necessary for exploitation, Microsoft assesses all three of these vulnerabilities as “Exploitation More Likely.”

51. Elevation of Privilege - Windows Resilient File System (ReFS) Deduplication Service (CVE-2025-21182) - Medium [368]

Description: Windows Resilient File System (ReFS) Deduplication Service Elevation of Privilege Vulnerability

52. Elevation of Privilege - Windows Resilient File System (ReFS) Deduplication Service (CVE-2025-21183) - Medium [368]

Description: Windows Resilient File System (ReFS) Deduplication Service Elevation of Privilege Vulnerability

53. Authentication Bypass - Chromium (CVE-2025-0446) - Medium [367]

Description: Inappropriate implementation in Extensions in Google Chrome prior to 132.0.6834.83 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Low)

MS PT Extended: CVE-2025-0446 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

54. Remote Code Execution - Microsoft SharePoint Server (CVE-2025-21400) - Medium [357]

Description: Microsoft SharePoint Server Remote Code Execution Vulnerability

Qualys: Other Microsoft Vulnerability Highlights CVE-2025-21358 is an elevation of privilege vulnerability in Windows Core Messaging. Upon successful exploitation, an attacker may gain SYSTEM privileges. CVE-2025-21184 & CVE-2025-21414 are elevations of privilege vulnerability in Windows Core Messaging. An attacker must gather information specific to the environment and take additional actions before exploitation to prepare the target environment for successful exploitation. Upon successful exploitation, an attacker may gain SYSTEM privileges. CVE-2025-21420 is an elevation of privilege vulnerability in the Windows Disk Cleanup Tool. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2025-21400 is a remote code execution vulnerability in Microsoft SharePoint Server. In a network-based attack, an authenticated attacker, with Site Owner permission, could write arbitrary code to inject and execute code on the SharePoint Server. CVE-2025-21419 is an elevation of privilege vulnerability in Windows Setup Files Cleanup. An attacker who exploits the vulnerability may delete targeted files on a system. CVE-2025-21367 is an elevation of privilege vulnerability in the Windows Win32 Kernel Subsystem. Upon successful exploitation, an attacker may gain SYSTEM privileges.

Tenable: CVE-2025-21400 | Microsoft SharePoint Server Remote Code Execution Vulnerability

Tenable: CVE-2025-21400 is a RCE vulnerability affecting Microsoft SharePoint Server. This vulnerability was assigned a CVSSv3 score of 8.0 and rated as important. Successful exploitation would grant an attacker the ability to execute arbitrary code. Exploitation requires an attacker to coerce the victim machine to first connect to a malicious server. This vulnerability was credited to cjm00n of Cyber Kunlun Lab and Zhiniang Peng.

55. Denial of Service - Windows Active Directory Domain Services API (CVE-2025-21351) - Medium [353]

Description: Windows Active Directory Domain Services API Denial of Service Vulnerability

56. Remote Code Execution - DHCP Client Service (CVE-2025-21379) - Medium [345]

Description: DHCP Client Service Remote Code Execution Vulnerability

Qualys: CVE-2025-21379: DHCP Client Service Remote Code Execution Vulnerability A DHCP Client Service refers to the software component on a computer that allows it to automatically acquire network configuration details like an IP address, subnet mask, and default gateway from a DHCP server on the network. The vulnerability can be exploited by a machine-in-the-middle (MITM) attack. The vulnerability is only limited to systems connected to the same network segment as the attacker. The vulnerability cannot be exploited across multiple networks (for example, a WAN) and would be limited to systems on the same network switch or virtual network.

Rapid7: Today sees the publication of a slightly mysterious critical RCE in the Windows DHCP Client Service. Exploitation of CVE-2025-21379 requires an attacker to intercept and potentially modify communications between the Windows DHCP client and the requested resource, which implies either that an attacker can break encryption, or that no encryption is present in the DHCP communication; this risk is highlighted in Microsoft’s own spec for DHCP implementation.

57. Spoofing - Microsoft Edge (CVE-2025-21267) - Medium [345]

Description: Microsoft Edge (Chromium-based) Spoofing Vulnerability

MS PT Extended: CVE-2025-21267 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

58. Information Disclosure - Microsoft Excel (CVE-2025-21383) - Medium [343]

Description: Microsoft Excel Information Disclosure Vulnerability

59. Memory Corruption - Chromium (CVE-2025-0437) - Medium [341]

Description: Chromium: CVE-2025-0437 Out of bounds read in Metrics. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2025-0437 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

60. Memory Corruption - Chromium (CVE-2025-0762) - Medium [341]

Description: Chromium: CVE-2025-0762 Use after free in DevTools. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2025-0762 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

61. Cross Site Scripting - Chromium (CVE-2025-0448) - Medium [335]

Description: Inappropriate implementation in Compositing in Google Chrome prior to 132.0.6834.83 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

MS PT Extended: CVE-2025-0448 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

62. Elevation of Privilege - Kernel Streaming WOW Thunk Service Driver (CVE-2025-21375) - Medium [330]

Description: Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability

63. Elevation of Privilege - Microsoft Edge (Chromium-based) Update (CVE-2025-21399) - Medium [330]

Description: Microsoft Edge (Chromium-based) Update Elevation of Privilege Vulnerability

MS PT Extended: CVE-2025-21399 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

64. Elevation of Privilege - Microsoft PC Manager (CVE-2025-21322) - Medium [330]

Description: Microsoft PC Manager Elevation of Privilege Vulnerability

65. Denial of Service - Windows Deployment Services (CVE-2025-21347) - Medium [329]

Description: Windows Deployment Services Denial of Service Vulnerability

66. Denial of Service - Windows Kerberos (CVE-2025-21350) - Medium [329]

Description: Windows Kerberos Denial of Service Vulnerability

67. Memory Corruption - Chromium (CVE-2025-0611) - Medium [329]

Description: Chromium: CVE-2025-0612 Out of bounds memory access in V8. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2025-0611 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

68. Memory Corruption - Chromium (CVE-2025-0612) - Medium [329]

Description: Out of bounds memory access in V8 in Google Chrome prior to 132.0.6834.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

MS PT Extended: CVE-2025-0612 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

69. Security Feature Bypass - Microsoft Surface (CVE-2025-21194) - Medium [327]

Description: Microsoft Surface Security Feature Bypass Vulnerability

Qualys: CVE-2025-21194: Microsoft Surface Security Feature Bypass Vulnerability Microsoft Surface is a family of touchscreen-based personal computers, tablets, and interactive whiteboard hardware products. Most of them run the Windows operating system and use Intel processors. Successful exploitation of the vulnerability requires an attacker to gain access to the restricted network before running an attack.

Tenable: CVE-2025-21194 | Microsoft Surface Security Feature Bypass Vulnerability

Tenable: CVE-2025-21194 is a security feature bypass vulnerability affecting Microsoft Surface. This vulnerability was assigned a CVSSv3 score of 7.1 and was publicly disclosed prior to a patch being available from Microsoft. According to the advisory, exploitation requires multiple steps, including an attacker successfully gaining access to the same network as the device. Additionally, exploitation requires the attacker to convince the user to reboot their device. With multiple requirements for exploitation, this flaw was assessed as “Exploitation Less Likely” according to Microsoft’s Exploitability Index.

Rapid7: A wide array of Microsoft Surface machines are vulnerable to CVE-2025-21194 until patched, although the most recent Surface Pro 10 and 11 series are not listed as vulnerable. The vulnerability is described as a security feature bypass, and exploitation could lead to container escape from a UEFI host machine and compromise of the hypervisor. Surface devices receive updates via Windows Update, although the advisory also gives brief instructions for users who wish to apply the updates manually. Microsoft describes the vulnerability as publicly disclosed.

70. Elevation of Privilege - Windows NTFS (CVE-2025-21337) - Medium [320]

Description: Windows NTFS Elevation of Privilege Vulnerability

71. Spoofing - Microsoft Edge for IOS and Android (CVE-2025-21253) - Medium [319]

Description: Microsoft Edge for IOS and Android Spoofing Vulnerability

MS PT Extended: CVE-2025-21253 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

72. Elevation of Privilege - Microsoft AutoUpdate (MAU) (CVE-2025-24036) - Medium [318]

Description: Microsoft AutoUpdate (MAU) Elevation of Privilege Vulnerability

73. Elevation of Privilege - Visual Studio Code JS Debug Extension (CVE-2025-24042) - Medium [318]

Description: Visual Studio Code JS Debug Extension Elevation of Privilege Vulnerability

74. Elevation of Privilege - Azure Network Watcher VM Extension (CVE-2025-21188) - Medium [306]

Description: Azure Network Watcher VM Extension Elevation of Privilege Vulnerability

75. Memory Corruption - Chromium (CVE-2025-0444) - Medium [305]

Description: Chromium: CVE-2025-0444 Use after free in Skia. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2025-0444 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

76. Denial of Service - Microsoft Message Queuing (MSMQ) (CVE-2025-21181) - Medium [303]

Description: Microsoft Message Queuing (MSMQ) Denial of Service Vulnerability

77. Spoofing - Chromium (CVE-2025-21262) - Medium [300]

Description: Microsoft Edge (Chromium-based) Spoofing Vulnerability. User Interface (UI) Misrepresentation of Critical Information in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network

MS PT Extended: CVE-2025-21262 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

78. Memory Corruption - Chromium (CVE-2025-0445) - Medium [294]

Description: Chromium: CVE-2025-0445 Use after free in V8. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2025-0445 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

79. Denial of Service - Internet Connection Sharing (ICS) (CVE-2025-21212) - Medium [291]

Description: Internet Connection Sharing (ICS) Denial of Service Vulnerability

80. Denial of Service - Internet Connection Sharing (ICS) (CVE-2025-21216) - Medium [291]

Description: Internet Connection Sharing (ICS) Denial of Service Vulnerability

81. Denial of Service - Internet Connection Sharing (ICS) (CVE-2025-21254) - Medium [291]

Description: Internet Connection Sharing (ICS) Denial of Service Vulnerability

82. Denial of Service - Internet Connection Sharing (ICS) (CVE-2025-21352) - Medium [291]

Description: Internet Connection Sharing (ICS) Denial of Service Vulnerability

83. Spoofing - Chromium (CVE-2025-0451) - Medium [288]

Description: Inappropriate implementation in Extensions API in Google Chrome prior to 133.0.6943.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Medium)

MS PT Extended: CVE-2025-0451 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

84. Elevation of Privilege - Visual Studio Code (CVE-2025-24039) - Medium [285]

Description: Visual Studio Code Elevation of Privilege Vulnerability

85. Elevation of Privilege - Visual Studio Installer (CVE-2025-21206) - Medium [285]

Description: Visual Studio Installer Elevation of Privilege Vulnerability

86. Tampering - Windows Remote Desktop Configuration Service (CVE-2025-21349) - Medium [270]

Description: Windows Remote Desktop Configuration Service Tampering Vulnerability

87. Denial of Service - DHCP Client Service (CVE-2025-21179) - Medium [267]

Description: DHCP Client Service Denial of Service Vulnerability

88. Spoofing - Microsoft Edge (CVE-2025-21404) - Medium [264]

Description: Microsoft Edge (Chromium-based) Spoofing Vulnerability

MS PT Extended: CVE-2025-21404 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

89. Spoofing - Microsoft Outlook (CVE-2025-21259) - Medium [230]

Description: Microsoft Outlook Spoofing Vulnerability

Low (0)

Exploitation in the wild detected (2)

Elevation of Privilege (2)

• Windows Ancillary Function Driver for WinSock (CVE-2025-21418)

Qualys: CVE-2025-21418: Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability The Windows Ancillary Function Driver for WinSock is a core Windows system driver. This is a crucial component in the network communication process. The driver provides a low-level functionality to the WinSock API, allowing applications to interact with network sockets. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CISA added the CVE-2025-21418 to its Known Exploited Vulnerabilities Catalog and requested users to patch it before March 4, 2025.

Tenable: Microsoft’s February 2025 Patch Tuesday Addresses 55 CVEs (CVE-2025-21418, CVE-2025-21391)

Tenable: CVE-2025-21418 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

Tenable: CVE-2025-21418 is an EoP vulnerability in the Ancillary Function Driver for WinSock for Microsoft Windows. It was assigned a CVSSv3 score of 7.8 and is rated important. A local, authenticated attacker could exploit this vulnerability to elevate to SYSTEM level privileges.

Rapid7: All versions of Windows receive patches today for CVE-2025-21418, a heap-based buffer overflow in the Windows Ancillary Function Driver (AFD). Successful exploitation leads to SYSTEM privileges. The AFD has been around for decades; it handles foundational networking functionality, so it is necessarily a kernel driver which interacts with a great deal of user-supplied input. It is perhaps not very shocking that AFD has been the site of a significant number of problems over the years: specifically, elevation of privilege (EoP) vulnerabilities. Microsoft is aware of existing exploitation in the wild, and with low attack complexity, low privilege requirements, and no requirement for user interaction, CVE-2025-21418 is one to prioritize for patching. The relatively low CVSSv3 base score of 7.8 and severity rating of Important may appear relatively mild; however, broad similarities exist between this vuln and CVE-2024-38193, which Rapid7 flagged as ripe for malware abuse on the day it was published, and which has subsequently been linked to exploitation by North Korean state-associated threat actor tracked as Lazarus.

ZDI: CVE-2025-21418 - Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability. This is the other bug being actively exploited, but it’s a more traditional privilege escalation than the other one. In this case, an authenticated user would need to run a specially-crafted program that ends up executing code with SYSTEM privileges. That’s why these types of bugs are usually paired with a code execution bug to take over a system. Microsoft doesn’t provide any information on how widespread these attacks are, but regardless of how targeted the attacks may be, I would test and deploy these patches quickly.

ZDI: CVE-2025-21418 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability. Indicates this CVE had been released by a third party and is now being included in Microsoft releases.

• Windows Storage (CVE-2025-21391)

Qualys: CVE-2025-21391: Windows Storage Elevation of Privilege Vulnerability Windows Storage is a feature of Windows operating systems that manages how data is stored on a computer. It includes Storage Spaces, which combine physical and virtual disks to improve performance and protect data. The vulnerability does not allow an attacker to disclose any confidential information. The vulnerability may allow an attacker to delete data, which could lead to the service’s unavailability. CISA added the CVE-2025-21391 to its Known Exploited Vulnerabilities Catalog and requested users to patch it before March 4, 2025.

Tenable: Microsoft’s February 2025 Patch Tuesday Addresses 55 CVEs (CVE-2025-21418, CVE-2025-21391)

Tenable: CVE-2025-21391 | Windows Storage Elevation of Privilege Vulnerability

Tenable: CVE-2025-21391 is an EoP vulnerability in Windows Storage. It was assigned a CVSSv3 score of 7.1 and is rated important. A local, authenticated attacker could exploit this vulnerability to delete files from a system. According to Microsoft, this vulnerability does not disclose confidential information to an attacker, rather, it only provides them with the capability to delete data, which may include data that could result in service disruption.

Rapid7: Ever wanted to delete a file on a Windows box, but pesky permissions prevented you from achieving your goal? CVE-2025-21391 might be just what you need: an elevation of privilege (EoP) vulnerability in the Windows Storage service for which Microsoft is aware of exploitation in the wild. No user interaction is required, and attack complexity is low, and the weakness is given as “CWE-59: Improper Link Resolution Before File Access” but what are attackers hoping to achieve here? Although the advisory provides scant detail, and even offers some vague reassurance that “an attacker would only be able to delete targeted files on a system”, it would be a mistake to assume that the impact of deleting arbitrary files would be limited to data loss or denial of service. As long ago as 2022, ZDI researchers set out how a motivated attacker could parlay arbitrary file deletion into full SYSTEM access using techniques which also involve creative misuse of symbolic links.

ZDI: CVE-2025-21391 - Windows Storage Elevation of Privilege Vulnerability. This is one of the bugs being exploited in the wild receiving a patch in this month’s release, and it’s a type of bug we haven’t seen exploited publicly. The vulnerability allows an attacker to delete targeted files. How does this lead to privilege escalation? My colleague Simon Zuckerbraun details the technique here. While we’ve seen similar issues in the past, this does appear to be the first time the technique has been exploited in the wild. It’s also likely paired with a code execution bug to completely take over a system. Test and deploy this quickly.

Public exploit exists, but exploitation in the wild is NOT detected (0)

Other Vulnerabilities (87)

Remote Code Execution (26)

• Microsoft Edge (CVE-2025-21279, CVE-2025-21283, CVE-2025-21342, CVE-2025-21408)

MS PT Extended: CVE-2025-21279 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

MS PT Extended: CVE-2025-21283 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

MS PT Extended: CVE-2025-21408 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

MS PT Extended: CVE-2025-21342 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

• HackerOne: CVE-2023-32002 Node.js `Module._load()` policy (CVE-2023-32002)
• Windows Routing and Remote Access Service (RRAS) (CVE-2025-21208, CVE-2025-21410)
• Windows Telephony Server (CVE-2025-21201)
• Windows Telephony Service (CVE-2025-21190, CVE-2025-21200, CVE-2025-21371, CVE-2025-21406, CVE-2025-21407)
• Microsoft Office (CVE-2025-21392, CVE-2025-21397)
• Windows Lightweight Directory Access Protocol (LDAP) (CVE-2025-21376)

Qualys: CVE-2025-21376: Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability Windows Lightweight Directory Access Protocol (LDAP) is a standard network protocol that allows users to access and manage information within a directory service. The protocol provides a way to centrally store and manage user information across a network, often used for authentication and single sign-on (SSO) purposes within a company. An attacker must win a race condition to exploit the vulnerability successfully. An unauthenticated attacker could exploit the vulnerability by sending a specially crafted request to a vulnerable LDAP server. Successful exploitation may lead to a buffer overflow, which could be leveraged to execute remote code.

Tenable: CVE-2025-21376 | Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability

Tenable: CVE-2025-21376 is a critical RCE vulnerability affecting Windows Lightweight Directory Access Protocol (LDAP). This vulnerability was assigned a CVSSv3 score of 8.1, rated as critical and assessed as “Exploitation More Likely" according to Microsoft. Successful exploitation requires winning a race condition via a specially crafted request necessary to exploit a buffer overflow. If successful, the attacker could achieve RCE on an affected host.

Rapid7: Any security advisory which lists multiple weakness types typically describes a complex vulnerability, and Windows LDAP critical remote code execution (RCE) CVE-2025-21376 is no exception. Successful exploitation requires an attacker to navigate multiple challenges, including winning a race condition. The prize: code execution on the Windows LDAP server. Although Microsoft seldom specifies the privilege level of code execution on LDAP server vulnerabilities, Rapid7 has noted previously that the LDAP service runs in a SYSTEM context, and that is the only safe assumption. All versions of Windows receive a patch.

ZDI: CVE-2025-21376 - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability. This vulnerability allows a remote, unauthenticated attacker to run their code on an affected system simply by sending a maliciously crafted request to the target. Since there’s no user interaction involved, that makes this bug wormable between affected LDAP servers. Microsoft lists this as “Exploitation Likely”, so even though this may be unlikely, I would treat this as an impending exploitation. Test and deploy the patch quickly.

• Microsoft Excel (CVE-2025-21381, CVE-2025-21386, CVE-2025-21387, CVE-2025-21390, CVE-2025-21394)

Qualys: CVE-2025-21381: Microsoft Excel Remote Code Execution Vulnerability Microsoft Excel is a spreadsheet program that allows users to create, edit, analyze, and present data. It’s part of the Microsoft Office and Microsoft 365 suites. Successful exploitation of the vulnerability may allow an attacker to achieve remote code execution.

Rapid7: As if spreadsheets weren’t dangerous enough by themselves, today sees publication of CVE-2025-21381, a critical RCE in Excel. As usual for this class of attack, the advisory clarifies that “remote” in this case refers to the location of the attacker, since user interaction is required, and the code execution will be in the context of the user on their local machine. The Preview Pane is an attack vector, so simply glancing at a file or email containing a specially crafted malicious spreadsheet is enough for the attack to succeed, although an attacker could also convince a user to download and open a file from a website, or perhaps simply scatter a few USB sticks in the parking lot.

ZDI: CVE-2025-21387 - Microsoft Excel Remote Code Execution Vulnerability. This is one of several Excel fixes where the Preview Pane is an attack vector, which is confusing as Microsoft also notes that user interaction is required. They also note that multiple patches are required to address this vulnerability fully. This likely can be exploited either by opening a malicious Excel file or previewing a malicious attachment in Outlook. Either way, make sure you get all the needed patches tested and deployed.

• Microsoft Digest Authentication (CVE-2025-21368, CVE-2025-21369)
• Microsoft High Performance Compute (HPC) Pack (CVE-2025-21198)
• Microsoft SharePoint Server (CVE-2025-21400)

Qualys: Other Microsoft Vulnerability Highlights CVE-2025-21358 is an elevation of privilege vulnerability in Windows Core Messaging. Upon successful exploitation, an attacker may gain SYSTEM privileges. CVE-2025-21184 & CVE-2025-21414 are elevations of privilege vulnerability in Windows Core Messaging. An attacker must gather information specific to the environment and take additional actions before exploitation to prepare the target environment for successful exploitation. Upon successful exploitation, an attacker may gain SYSTEM privileges. CVE-2025-21420 is an elevation of privilege vulnerability in the Windows Disk Cleanup Tool. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2025-21400 is a remote code execution vulnerability in Microsoft SharePoint Server. In a network-based attack, an authenticated attacker, with Site Owner permission, could write arbitrary code to inject and execute code on the SharePoint Server. CVE-2025-21419 is an elevation of privilege vulnerability in Windows Setup Files Cleanup. An attacker who exploits the vulnerability may delete targeted files on a system. CVE-2025-21367 is an elevation of privilege vulnerability in the Windows Win32 Kernel Subsystem. Upon successful exploitation, an attacker may gain SYSTEM privileges.

Tenable: CVE-2025-21400 | Microsoft SharePoint Server Remote Code Execution Vulnerability

Tenable: CVE-2025-21400 is a RCE vulnerability affecting Microsoft SharePoint Server. This vulnerability was assigned a CVSSv3 score of 8.0 and rated as important. Successful exploitation would grant an attacker the ability to execute arbitrary code. Exploitation requires an attacker to coerce the victim machine to first connect to a malicious server. This vulnerability was credited to cjm00n of Cyber Kunlun Lab and Zhiniang Peng.

• DHCP Client Service (CVE-2025-21379)

Qualys: CVE-2025-21379: DHCP Client Service Remote Code Execution Vulnerability A DHCP Client Service refers to the software component on a computer that allows it to automatically acquire network configuration details like an IP address, subnet mask, and default gateway from a DHCP server on the network. The vulnerability can be exploited by a machine-in-the-middle (MITM) attack. The vulnerability is only limited to systems connected to the same network segment as the attacker. The vulnerability cannot be exploited across multiple networks (for example, a WAN) and would be limited to systems on the same network switch or virtual network.

Rapid7: Today sees the publication of a slightly mysterious critical RCE in the Windows DHCP Client Service. Exploitation of CVE-2025-21379 requires an attacker to intercept and potentially modify communications between the Windows DHCP client and the requested resource, which implies either that an attacker can break encryption, or that no encryption is present in the DHCP communication; this risk is highlighted in Microsoft’s own spec for DHCP implementation.

Elevation of Privilege (22)

• Windows Setup Files Cleanup (CVE-2025-21419)

Qualys: Other Microsoft Vulnerability Highlights CVE-2025-21358 is an elevation of privilege vulnerability in Windows Core Messaging. Upon successful exploitation, an attacker may gain SYSTEM privileges. CVE-2025-21184 & CVE-2025-21414 are elevations of privilege vulnerability in Windows Core Messaging. An attacker must gather information specific to the environment and take additional actions before exploitation to prepare the target environment for successful exploitation. Upon successful exploitation, an attacker may gain SYSTEM privileges. CVE-2025-21420 is an elevation of privilege vulnerability in the Windows Disk Cleanup Tool. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2025-21400 is a remote code execution vulnerability in Microsoft SharePoint Server. In a network-based attack, an authenticated attacker, with Site Owner permission, could write arbitrary code to inject and execute code on the SharePoint Server. CVE-2025-21419 is an elevation of privilege vulnerability in Windows Setup Files Cleanup. An attacker who exploits the vulnerability may delete targeted files on a system. CVE-2025-21367 is an elevation of privilege vulnerability in the Windows Win32 Kernel Subsystem. Upon successful exploitation, an attacker may gain SYSTEM privileges.

• Microsoft Edge (CVE-2025-21185)

MS PT Extended: CVE-2025-21185 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

• account (CVE-2025-21396)

MS PT Extended: CVE-2025-21396 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

• Chromium (CVE-2025-0447)

MS PT Extended: CVE-2025-0447 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

• Windows Secure Kernel Mode (CVE-2025-21325)

MS PT Extended: CVE-2025-21325 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

• Windows Core Messaging (CVE-2025-21184, CVE-2025-21358, CVE-2025-21414)

Qualys: Other Microsoft Vulnerability Highlights CVE-2025-21358 is an elevation of privilege vulnerability in Windows Core Messaging. Upon successful exploitation, an attacker may gain SYSTEM privileges. CVE-2025-21184 & CVE-2025-21414 are elevations of privilege vulnerability in Windows Core Messaging. An attacker must gather information specific to the environment and take additional actions before exploitation to prepare the target environment for successful exploitation. Upon successful exploitation, an attacker may gain SYSTEM privileges. CVE-2025-21420 is an elevation of privilege vulnerability in the Windows Disk Cleanup Tool. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2025-21400 is a remote code execution vulnerability in Microsoft SharePoint Server. In a network-based attack, an authenticated attacker, with Site Owner permission, could write arbitrary code to inject and execute code on the SharePoint Server. CVE-2025-21419 is an elevation of privilege vulnerability in Windows Setup Files Cleanup. An attacker who exploits the vulnerability may delete targeted files on a system. CVE-2025-21367 is an elevation of privilege vulnerability in the Windows Win32 Kernel Subsystem. Upon successful exploitation, an attacker may gain SYSTEM privileges.

Tenable: CVE-2025-21184, CVE-2025-21358 and CVE-2025-21414 | Windows Core Messaging Elevation of Privileges Vulnerability

Tenable: CVE-2025-21184, CVE-2025-21358 and CVE-2025-21414 are EoP vulnerabilities affecting Windows Core Messaging. Two of the three vulnerabilities were assigned CVSSv3 scores of 7.0, while CVE-2025-21358 was assigned a CVSSv3 score of 7.8. Exploitation of these flaws could allow an attacker to elevate their privileges to SYSTEM.

Tenable: According to Microsoft, exploitation for CVE-2025-21184 and CVE-2025-21414 requires an attacker to gather information about the target as well as take additional measures to prepare a target for exploitation. Despite the differing requirements necessary for exploitation, Microsoft assesses all three of these vulnerabilities as “Exploitation More Likely.”

• Windows Disk Cleanup Tool (CVE-2025-21420)

Qualys: Other Microsoft Vulnerability Highlights CVE-2025-21358 is an elevation of privilege vulnerability in Windows Core Messaging. Upon successful exploitation, an attacker may gain SYSTEM privileges. CVE-2025-21184 & CVE-2025-21414 are elevations of privilege vulnerability in Windows Core Messaging. An attacker must gather information specific to the environment and take additional actions before exploitation to prepare the target environment for successful exploitation. Upon successful exploitation, an attacker may gain SYSTEM privileges. CVE-2025-21420 is an elevation of privilege vulnerability in the Windows Disk Cleanup Tool. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2025-21400 is a remote code execution vulnerability in Microsoft SharePoint Server. In a network-based attack, an authenticated attacker, with Site Owner permission, could write arbitrary code to inject and execute code on the SharePoint Server. CVE-2025-21419 is an elevation of privilege vulnerability in Windows Setup Files Cleanup. An attacker who exploits the vulnerability may delete targeted files on a system. CVE-2025-21367 is an elevation of privilege vulnerability in the Windows Win32 Kernel Subsystem. Upon successful exploitation, an attacker may gain SYSTEM privileges.

• Windows Installer (CVE-2025-21373)

ZDI: There are a handful of privilege escalation bugs receiving fixes in this month’s release, and most of these either lead to SYSTEM-level code execution or administrative privileges if an authenticated user runs specially crafted code. One of these was reported by Trend ZDI’s Simon Zuckerbraun. CVE-2025-21373 is a link-following bug. Though the “msiserver” service is protected by the Redirection Guard mitigation, the mitigation can be bypassed if the attacker can mount an NTFS-formatted removable drive such as a USB drive. In this case, a low-privileged user can use this vulnerability to escalate privileges and execute code as SYSTEM.

• Windows Win32 Kernel Subsystem (CVE-2025-21367)

Qualys: Other Microsoft Vulnerability Highlights CVE-2025-21358 is an elevation of privilege vulnerability in Windows Core Messaging. Upon successful exploitation, an attacker may gain SYSTEM privileges. CVE-2025-21184 & CVE-2025-21414 are elevations of privilege vulnerability in Windows Core Messaging. An attacker must gather information specific to the environment and take additional actions before exploitation to prepare the target environment for successful exploitation. Upon successful exploitation, an attacker may gain SYSTEM privileges. CVE-2025-21420 is an elevation of privilege vulnerability in the Windows Disk Cleanup Tool. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2025-21400 is a remote code execution vulnerability in Microsoft SharePoint Server. In a network-based attack, an authenticated attacker, with Site Owner permission, could write arbitrary code to inject and execute code on the SharePoint Server. CVE-2025-21419 is an elevation of privilege vulnerability in Windows Setup Files Cleanup. An attacker who exploits the vulnerability may delete targeted files on a system. CVE-2025-21367 is an elevation of privilege vulnerability in the Windows Win32 Kernel Subsystem. Upon successful exploitation, an attacker may gain SYSTEM privileges.

• Windows Resilient File System (ReFS) Deduplication Service (CVE-2025-21182, CVE-2025-21183)
• Kernel Streaming WOW Thunk Service Driver (CVE-2025-21375)
• Microsoft Edge (Chromium-based) Update (CVE-2025-21399)

MS PT Extended: CVE-2025-21399 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

• Microsoft PC Manager (CVE-2025-21322)
• Windows NTFS (CVE-2025-21337)
• Microsoft AutoUpdate (MAU) (CVE-2025-24036)
• Visual Studio Code JS Debug Extension (CVE-2025-24042)
• Azure Network Watcher VM Extension (CVE-2025-21188)
• Visual Studio Code (CVE-2025-24039)
• Visual Studio Installer (CVE-2025-21206)

Authentication Bypass (6)

• Azure (CVE-2025-21415)

MS PT Extended: CVE-2025-21415 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

• Chromium (CVE-2025-0435, CVE-2025-0439, CVE-2025-0440, CVE-2025-0442, CVE-2025-0446)

MS PT Extended: CVE-2025-0440 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

MS PT Extended: CVE-2025-0442 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

MS PT Extended: CVE-2025-0439 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

MS PT Extended: CVE-2025-0435 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

MS PT Extended: CVE-2025-0446 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

Spoofing (7)

• Windows NTLM (CVE-2025-21377)

Qualys: CVE-2025-21377: NTLM Hash Disclosure Spoofing Vulnerability An NTLM hash is a cryptographic representation of a user’s password stored on Windows systems. It is a vital part of the process used to authenticate a user on Windows systems. An attacker may exploit the vulnerability to disclose a user’s NTLMv2 hash. Upon successful exploitation, an attacker may authenticate as the user.

Tenable: CVE-2025-21377 | NTLM Hash Disclosure Spoofing Vulnerability

Tenable: CVE-2025-21377 is a New Technology LAN Manager (NTLM) Hash disclosure spoofing vulnerability that was publicly disclosed prior to a patch being made available. Despite the medium severity CVSSv3 score of 6.5, Microsoft assesses this vulnerability as “Exploitation More Likely.” Successful exploitation requires an attacker to convince a user to interact with a malicious file, such as inspecting the file or “performing an action other than opening or executing the file.” Exploitation would allow an attacker to obtain a user's NTLMv2 hash, which could then be used to authenticate as that user.

Rapid7: It’s almost surprising when any particular Patch Tuesday doesn’t involve plugging one or two holes through which NTLM hashes can leak. CVE-2025-21377 describes an NTLMv2 hash disclosure vulnerability where exploitation ultimately results in the attacker gaining the ability to authenticate as the targeted user. Minimal user interaction with a malicious file is required, including selecting, inspecting, or “performing an action other than opening or executing the file.” This trademark linguistic ducking and weaving may be Microsoft’s way of saying “if we told you any more, we’d give the game away.” Accordingly, Microsoft assesses exploitation as more likely. The advisory acknowledges researchers from 0patch by ACROS Security — who also reported last month’s NTLM hash disclosure zero-day vuln CVE-2025-21308 — as well as others from Securify and Cathay Pacific; this might be the first instance of an airline receiving credit for reporting a Microsoft zero-day vulnerability.

• Microsoft Edge (CVE-2025-21267, CVE-2025-21404)

MS PT Extended: CVE-2025-21404 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

MS PT Extended: CVE-2025-21267 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

• Microsoft Edge for IOS and Android (CVE-2025-21253)

MS PT Extended: CVE-2025-21253 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

• Chromium (CVE-2025-0451, CVE-2025-21262)

MS PT Extended: CVE-2025-21262 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

MS PT Extended: CVE-2025-0451 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

• Microsoft Outlook (CVE-2025-21259)

Security Feature Bypass (3)

• Chromium (CVE-2025-0443)

MS PT Extended: CVE-2025-0443 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

• Windows Kernel (CVE-2025-21359)
• Microsoft Surface (CVE-2025-21194)

Qualys: CVE-2025-21194: Microsoft Surface Security Feature Bypass Vulnerability Microsoft Surface is a family of touchscreen-based personal computers, tablets, and interactive whiteboard hardware products. Most of them run the Windows operating system and use Intel processors. Successful exploitation of the vulnerability requires an attacker to gain access to the restricted network before running an attack.

Tenable: CVE-2025-21194 | Microsoft Surface Security Feature Bypass Vulnerability

Tenable: CVE-2025-21194 is a security feature bypass vulnerability affecting Microsoft Surface. This vulnerability was assigned a CVSSv3 score of 7.1 and was publicly disclosed prior to a patch being available from Microsoft. According to the advisory, exploitation requires multiple steps, including an attacker successfully gaining access to the same network as the device. Additionally, exploitation requires the attacker to convince the user to reboot their device. With multiple requirements for exploitation, this flaw was assessed as “Exploitation Less Likely” according to Microsoft’s Exploitability Index.

Rapid7: A wide array of Microsoft Surface machines are vulnerable to CVE-2025-21194 until patched, although the most recent Surface Pro 10 and 11 series are not listed as vulnerable. The vulnerability is described as a security feature bypass, and exploitation could lead to container escape from a UEFI host machine and compromise of the hypervisor. Surface devices receive updates via Windows Update, although the advisory also gives brief instructions for users who wish to apply the updates manually. Microsoft describes the vulnerability as publicly disclosed.

Cross Site Scripting (5)

• Chromium (CVE-2025-0434, CVE-2025-0436, CVE-2025-0438, CVE-2025-0441, CVE-2025-0448)

MS PT Extended: CVE-2025-0448 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

MS PT Extended: CVE-2025-0438 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

MS PT Extended: CVE-2025-0436 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

MS PT Extended: CVE-2025-0441 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

MS PT Extended: CVE-2025-0434 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

Command Injection (1)

• Microsoft Dynamics 365 (CVE-2025-21177)

MS PT Extended: CVE-2025-21177 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

Denial of Service (9)

• Windows Active Directory Domain Services API (CVE-2025-21351)
• Windows Deployment Services (CVE-2025-21347)
• Windows Kerberos (CVE-2025-21350)
• Microsoft Message Queuing (MSMQ) (CVE-2025-21181)
• Internet Connection Sharing (ICS) (CVE-2025-21212, CVE-2025-21216, CVE-2025-21254, CVE-2025-21352)
• DHCP Client Service (CVE-2025-21179)

Information Disclosure (1)

• Microsoft Excel (CVE-2025-21383)

Memory Corruption (6)

• Chromium (CVE-2025-0437, CVE-2025-0444, CVE-2025-0445, CVE-2025-0611, CVE-2025-0612, CVE-2025-0762)

MS PT Extended: CVE-2025-0762 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

MS PT Extended: CVE-2025-0437 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

MS PT Extended: CVE-2025-0444 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

MS PT Extended: CVE-2025-0445 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

MS PT Extended: CVE-2025-0611 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

MS PT Extended: CVE-2025-0612 was published before February 2025 Patch Tuesday from 2025-01-15 to 2025-02-10

Tampering (1)

• Windows Remote Desktop Configuration Service (CVE-2025-21349)