Compared to last month’s whopping 159 CVEs and eight zero-days, February 2025’s Patch Tuesday is relatively light, with “only” 63 Microsoft CVEs and four zero-days, of which two have been actively exploited.

Let’s start with the actively exploited zero-days:

CVE-2025-21391 (CVSS score 7.1 out of 10) is a Windows Storage Elevation of Privilege (EoP) vulnerability. Successful exploitation allows a local attacker to delete targeted files on a system, which could result in the unavailability of the services that need those files.

CVE-2025-21418 (CVSS score 7.8 out of 10) is an EoP vulnerability in the Ancillary Function Driver (AFD) for Winsock. It exposes a pathway to local privilege escalation through the Winsock application programming interface (API). An attacker who successfully exploits this vulnerability could gain SYSTEM privileges.

The Winsock API defines how Windows network application software should access network services, and it uses AFD to gain an entry point through which the kernel can be accessed. The kernel is at the core of a computer’s operating system (OS) and exercises complete control over everything in the system.

The other two zero-day vulnerabilities are:

CVE-2025-21194 (CVSS score 7.1 out of 10) is a Microsoft Surface security feature bypass vulnerability. To exploit this vulnerability an attacker needs to gain access to a restricted network, and meet multiple other conditions, such as specific application behavior, hardware, user actions, manipulation of parameters passed to a function, and impersonation of an integrity level token.

But if the attacker succeeds and the target reboots their machine, it might be possible for the attacker to bypass the Unified Extensible Firmware Interface (UEFI), which could lead to the compromise of the hypervisor and the secure kernel.

CVE-2025-21377 (CVSS score 6.5 out of 10) is an NTLM hash disclosure spoofing vulnerability. Successful exploitation discloses a user’s NTLMv2 hash to the attacker who can use this information to authenticate as the user.

NTLM is an old authentication protocol which was superseded by Kerberos long ago, but is still in use today. NTLM hashes can be used in pass-the-hash attacks, where the attacker abuses the NTLM authentication protocol and authenticates with a password hash instead of a password.

Other vendors

Adobe released security updates for several products:

• Adobe InDesign
• Adobe Commerce
• Adobe Substance 3D Stager
• Adobe InCopy
• Adobe Illustrator (important)
• Adobe Substance 3D Designer
• Adobe Photoshop Elements

Apple released a security update for a zero-day exploited in ‘extremely sophisticated’ attacks.

Cisco released security updates for multiple products.

Google published the Android Security Bulletin February 2025.

SAP released security updates for several products as part of February Patch Day.