Microsoft just patched a host of worrying security issues, so update now

Representational image of a cybercriminal
Image Credit: Pixabay (Image credit: Pixabay)

  • Microsoft releases February 2025 Patch Tuesday cumulative update
  • It fixes 55 security flaws, including four zero-days
  • Of the four zero-days, two are being actively exploited

Microsoft has fixed a total of 55 Windows security vulnerabilities, including four zero-day bugs, including two that are being actively exploited in the wild.

Since some of the bugs addressed in the cumulative update are being actively exploited in the wild, users are advised to apply the fix immediately. The two flaws in question are CVE-2025-21391 (Windows Storage Elevation of Privilege vulnerability) and CVE_2025-21418 (Windows Ancillary Function Driver for WinSock Elevation of Privilege vulnerability).

Threat actors could use the first one to delete files from a target system, and the second one to gain SYSTEM privileges in Windows. Microsoft did not want to discuss who was abusing these flaws, how, or against whom.

Protect yourself from identity theft online

Protect yourself from identity theft online

Go Incogni and get 55% off using code TECHRADAR. Incogni erases you and your family from the sites that expose your personal information to identity thieves and robocalls.

Preferred partner (What does this mean?

Notable mentions

In total, Microsoft addressed 19 Elevation of Privilege bugs, 2 Security Feature Bypass bugs, 22 Remote Code Execution flaws, one Information Disclosure bug, nine Denial of Service vulnerabilities, and three Spoofing flaws in its Patch Tuesday cumulative update.

Other two notable mentions are CVE-2025-21194 and CVE-2025-21377. These two are also zero-day vulnerabilities, but there is no evidence of cybercriminals abusing them just yet. That being said, the first one could be used to bypass the UEFI and lead to compromise of the hypervisor and the secure kernel, while the second one is an NTLM Hash Disclosure Spoofing flaw that allows cybercriminals to potentially log in as the target user.

"Minimal interaction with a malicious file by a user such as selecting (single-click), inspecting (right-click), or performing an action other than opening or executing the file could trigger this vulnerability." Microsoft said in the advisory.

Aside from Patch Tuesday, Microsoft also addressed Edge browser flaws in a separate patch, fixing 10 vulnerabilities in the process. Furthermore, there was a critical Microsoft Dynamics 365 Sales elevation of privilege bug that was separately addressed.

You might also like

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read more
A hacker wearing a hoodie sitting at a computer, his face hidden.
Microsoft patches three worrying security flaws in its latest critical update, so update now
Representational image of a cybercriminal
Microsoft discovers five potentially damaging attacks against its own software
Representational image depecting cybersecurity protection
Ivanti reveals major security update, so make sure you're protected
malware
US government warns federal agencies to patch dangerous Windows kernel bug
A phone sitting on a laptop keyboard with the Microsoft Outlook logo on the screen.
US government warns users to patch this critical Microsoft Outlook bug
A person at a laptop with a cybersecure lock symbol floating above it.
Hackers are still using old Ivanti bugs to break into networks
Latest in Security
Image depicting hands typing on a keyboard, with phishing hooks holding files, passwords and credit cards.
Microsoft warns about a new phishing campaign impersonating Booking.com
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Meta warns of worrying security flaw hitting open source type software
Hand holding smartphone and scan fingerprint biometric identity for unlock her mobile phone
Biometrics add another layer of security to passwordless authentication
Data leak
Hacked Tata Technologies data leaked by ransomware gang
A close-up photo of an iPhone, with the App Store icon prominent in the center of the image.
Thousands of iOS apps found to expose user data and leak Stripe keys
China
Chinese hackers targeting Juniper Networks routers, so patch now
Latest in News
A graphic of the PC Gaming Show
Get ready for a bounty of PC games on June 8, as the PC Gaming show is back
A smartphone on a sofa showing the WhatsApp, Telegram and Signal apps
Forget AI – WhatsApp is planning a simple messages feature that could be its most useful upgrade in years
NordicTrack Ultra 1
The new NordicTrack Ultra 1 treadmill looks like it was designed by an architect and costs $15,000
An Nvidia GeForce RTX 5070
Nvidia RTX 5080 stock is so barren that retailers are holding competitions where you can "win" the right to buy one for MSRP
Assassin's Creed Shadows
Ubisoft shareholder accuses publisher of 'misleading investors', plans protest outside Paris HQ
Google Gemini AI logo on a smartphone with Google background
I made an AI version of Bilbo Baggins using Goggle Gemini for free, and shared a pipe with him outside Bag End – here’s what you can now do with Gems