Microsoft just patched a host of worrying security issues, so update now

News
By
published

February's Patch Tuesday is upon us

Representational image of a cybercriminal
Image Credit: Pixabay (Image credit: Pixabay)
  • Microsoft releases February 2025 Patch Tuesday cumulative update
  • It fixes 55 security flaws, including four zero-days
  • Of the four zero-days, two are being actively exploited

Microsoft has fixed a total of 55 Windows security vulnerabilities, including four zero-day bugs, including two that are being actively exploited in the wild.

Since some of the bugs addressed in the cumulative update are being actively exploited in the wild, users are advised to apply the fix immediately. The two flaws in question are CVE-2025-21391 (Windows Storage Elevation of Privilege vulnerability) and CVE_2025-21418 (Windows Ancillary Function Driver for WinSock Elevation of Privilege vulnerability).

Threat actors could use the first one to delete files from a target system, and the second one to gain SYSTEM privileges in Windows. Microsoft did not want to discuss who was abusing these flaws, how, or against whom.

Protect yourself from identity theft online

Protect yourself from identity theft online

Go Incogni and get 55% off using code TECHRADAR. Incogni erases you and your family from the sites that expose your personal information to identity thieves and robocalls.

View Deal

Notable mentions

In total, Microsoft addressed 19 Elevation of Privilege bugs, 2 Security Feature Bypass bugs, 22 Remote Code Execution flaws, one Information Disclosure bug, nine Denial of Service vulnerabilities, and three Spoofing flaws in its Patch Tuesday cumulative update.

Other two notable mentions are CVE-2025-21194 and CVE-2025-21377. These two are also zero-day vulnerabilities, but there is no evidence of cybercriminals abusing them just yet. That being said, the first one could be used to bypass the UEFI and lead to compromise of the hypervisor and the secure kernel, while the second one is an NTLM Hash Disclosure Spoofing flaw that allows cybercriminals to potentially log in as the target user.

"Minimal interaction with a malicious file by a user such as selecting (single-click), inspecting (right-click), or performing an action other than opening or executing the file could trigger this vulnerability." Microsoft said in the advisory.

Aside from Patch Tuesday, Microsoft also addressed Edge browser flaws in a separate patch, fixing 10 vulnerabilities in the process. Furthermore, there was a critical Microsoft Dynamics 365 Sales elevation of privilege bug that was separately addressed.

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

More about security
Representational image of a cybercriminal

US, UK crack down on Russian bulletproof hosting service ZServers for LockBit partnership
SearchGPT OpenAI

Hackers offer 20 million OpenAI credentials for sale, but it says there's no evidence of a breach
The Samsung Galaxy S25 Edge on display the January 22, 2025 Galaxy Unpacked event.

The Samsung Galaxy S25 Edge has appeared on Geekbench with so-so performance scores – but we're not worried yet
See more latest