February 2025 Patch Tuesday is here, and Microsoft has delivered fixes for 56 vulnerabilities, including two zero-days – CVE-2025-21418 and CVE-2025-21391 – under active exploitation.
CVE-2025-21418 and CVE-2025-21391
CVE-2025-21418 is a vulnerability in the Windows Ancillary Function Driver (AFD.sys), which interfaces with the Windows Sockets API to enable Windows applications to connect to the internet. It can be exploited by attackers to elevate privileges on the target host.
“An authenticated user would need to run a specially-crafted program that ends up executing code with SYSTEM privileges. That’s why these types of bugs are usually paired with a code execution bug to take over a system,” says Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative.
Satnam Narang, Tenable’s senior staff research engineer, says that since 2022, there have been nine elevation of privilege vulnerabilities in the Ancillary Function Driver for WinSock, and only one of those was exploited in the wild as a zero day (CVE-2024-38193).
“According to the reports, CVE-2024-38193 was exploited by the North Korean APT group known as Lazarus Group (also known as Hidden Cobra or Diamond Sleet) to implant a new version of the FudModule rootkit in order to maintain persistence and stealth on compromised systems. At this time, it is unclear if CVE-2025-21418 was also exploited by Lazarus Group,” he added.
CVE-2025-21391 affects Windows Storage in various Windows and Windows Server version. It is another elevation of privilege flaw that, according to Microsoft, would only allow attackers to delete targeted files on a system, and that could lead to the service being rendered unavailable.
Obviously, though, it could also lead to privilege escalation – as described by ZDI researcher Simon Zuckerbraun.
“While we’ve seen similar issues in the past, this does appear to be the first time the technique has been exploited in the wild. It’s also likely paired with a code execution bug to completely take over a system,” Childs commented, and advised users to test and deploy the patch for it quickly.
The two exploited zero-days have been added to CISA’s Known Exploited Vulnerabilities catalog.
Other vulnerabilities of note
CVE-2025-21194, a security feature bypass vulnerability affecting Microsoft Surface laptops, and CVE-2025-21377, a NTLMv2 hash disclosure vulnerability that could be used by attackers to authenticate as the user, have been marked as “publicly disclosed”.
The latter is more likely to be exploited, Microsoft judges. “Organizations using Windows systems that do not exclusively rely on Kerberos for authentication are at risk,” says Mike Walters, President of Action1.
CVE-2025-21376, a critical remote code execution vulnerability stemming from several weaknesses, could be exploited by unauthenticated attackers by sending a specially crafted request to a vulnerable Windows Lightweight Directory Access Protocol (LDAP) server.
“Since there’s no user interaction involved, that makes this bug wormable between affected LDAP servers,” Childs noted. “Microsoft lists this as ‘Exploitation Likely’, so even though this may be unlikely, I would treat this as an impending exploitation.”