February bundle is only a third of the size of the January release.
Microsoft addressed 56 security vulnerabilities as part of this month's Patch Tuesday, including a pair of zero-day flaws that may have already been leveraged in attacks.
According to SC US, the most crucial of the fixed zero-days is the Windows Storage component privilege escalation bug, tracked as CVE-2025-21391, which could be exploited to facilitate arbitrary data writing and deletion, as well as chained with a code execution issue to enable system takeovers.
Exploitation of the other privilege escalation zero-day, tracked as CVE-2025-21418, could allow full system hijacking by a local, authenticated attacker to elevate to SYSTEM level privileges.
According to Tenable, Microsoft notes that this vulnerability was exploited in the wild as a zero-day, and since 2022, there have been nine Ancillary Function Driver for WinSock EoP vulnerabilities patched across Patch Tuesday releases, including three in 2022, three in 2023, and three in 2024.
Critical flaws in the February update include CVE-2025-21379 in Windows DHCP, CVE-2025-21177 in Dynamics 365 Sales, and CVE-2025-21376 in the LDAP protocol. Though these flaws have yet to be actively exploited, the possibility for remote code execution should make them a top priority for testing and deployment.
Tyler Reguly, associate director, security R&D at Fortra, said, “Microsoft must have felt sorry for us this month because, size-wise, we’re only getting 38 percent of the updates we had last month.
“Admins can breathe a further sign of relief when they realize that
CVE-2025-21177 is information (it was already patched by Microsoft server side) and several of the CVEs may not apply in their environment.”
Written by
Dan Raywood
Senior Editor
SC Media UK
Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.
Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.
