Microsoft addresses fewer vulnerabilities in February 2025’s Patch Tuesday, but those it does address have far reaching consequences. Lewis Pope investigates.

The February 2025 updates from Microsoft this month deliver fixes for a much smaller number of vulnerabilities than previous months, but it does include an important fix for an NTLM hash vulnerability that was disclosed in December 2024.

This is a great example of how relying solely on Microsoft’s monthly patches to keep environments vulnerability free can leave IT teams with a false sense of the strength of their security posture. Timely patching of systems is a very important part of a proper Vulnerability Management program, but it will never be able to bring an environment to zero vulnerabilities. Understanding this can help defenders better protect the estates they are responsible for.

Microsoft Vulnerabilities

This month Microsoft released fixes for 56 vulnerabilities. These included:

• Two zero-day vulnerabilities that are Under Active Exploitation,
• a further two zero-day vulnerabilities that were previously disclosed (but as of time of writing have not been seen being publicly exploited);
• and, three critical remote code execution vulnerabilities.

CVE-2025-21418 is an elevation of privilege vulnerability affecting the Windows Ancillary Function Driver for WinSock. Microsoft indicates it affects 37 builds of Windows since Windows Server 2008 R2 making the affected install base very large. It may be even larger than this as AFD.sys has been a component of Windows since Windows NT 3.1. As Microsoft has long since put many Windows systems into EOS, it’s up to system admins to accept and mitigate risks that come from using unsupported systems. This vulnerability should be a top priority for this month as it requires no interaction from an end-user, has a low complexity and is Under Active Exploitation. It will likely become a common part of the toolkit for threat actors because of the wide range of targets it will be effective against.

CVE-2025-21391 is a Windows Storage Elevation of privilege vulnerability that affects Windows builds since Windows Server 2016 and Windows 10 1607. This zero-day vulnerability is currently Under Exploitation and allows an attacker to delete arbitrary files from a target system. Microsoft references in the release notes for this vulnerability Improper Link Resolution Before File Access which mentions the ability to read or overwrite the contents of a file. There is scant other information from Microsoft on this vulnerability, but attacks using this vulnerability could be part of a chained attacks to compromise or DoS a targeted Windows system.

CVE-2025-21377 is the aforementioned NTLM hash disclosure spoofing vulnerability that was disclosed by ACROS Security in December. This vulnerability allows for an attacker to capture the NTLM hash of an authentication against an attacker-controlled server though the use of specially crafted files, providing the attacker with information needed to perform authentication attacks or attempt to crack the hash. ACROS provided a micro-patch via 0Patch when they made the disclosure, leaving those that do not leverage 0Patch unprotected against this vulnerability for two months until Microsoft delivered the fix in this month’s patch release. This again highlights that simply relying on Microsoft patching, even if done in a hyper aggressive timetable of applying them as soon as they become available, can still leave systems vulnerable. Keeping systems as secure as possible in today’s threat landscape takes a lot more effort than making sure patches are up to date.

Also this month Microsoft adjusted its advice on which Windows OS builds are affected by CVE-2023-24932 to include Windows 11 24H2 and Windows Server 2025. It released security updates this patch Tuesday for Windows 11 22H2 and Windows 11 23H2. This is an almost two year gap between the original publication of the vulnerability with a fix from Microsoft, and additional Windows OS builds being included in the list of affected systems.

Microsoft Patch Tuesday Vulnerability Prioritization

Addressing vulnerabilities effectively requires a mix of adhering to established best practices and leveraging informed judgment. While it’s a natural instinct to rank vulnerabilities with critical severity ratings higher on the list of things that need to be addressed, relying on severity ratings alone can be limiting. An often-overlooked component is temporal metrics, which provide a measure of the window of vulnerability—the time from initial vulnerability discovery to the availability and application of the patch. This is essential as the longer a vulnerability exists without a fix, the greater the potential for exploitation. By integrating temporal metrics into the risk evaluation process, organizations can gain a more comprehensive understanding of the threat landscape and potential attack vectors, ensuring that they don’t leave themselves open to unnecessary risks.

Table Key: Severity: C = Critical, I = Important, M = Moderate, R = Re-issue; Status: EML = Exploitation More Likely, ELL = Exploitation Less Likely, ED = Exploitation Detected, EU = Exploitation Unlikely, N/A = Not Available

Summary

Ensure that you maintain consistent patching procedures for assessment, testing, and deployment into your production environments. If your approach has typically centered around patching based on severity alone, it’s crucial to expand your patch management strategies. Integrate priority handling for patches related to Zero-Days, vulnerabilities with detected exploitations, and those with a higher likelihood of exploitation into your Patch Management routines.

Looking for more blogs on patching, or looking for previous Microsoft Patch Tuesday Reviews, then check out the Patch Management section of our blog.

Lewis Pope is the Head Security Nerd at N‑able. You can follow him on Twitter: @cybersec_nerd

LinkedIn: thesecuritypope

Twitch: cybersec_nerd