CISOs should make sure that two actively exploited vulnerabilities in Windows are addressed as part of their staff’s February Patch Tuesday efforts.
They are:
- CVE 2025-21391, a Windows Storage escalation of privilege vulnerability that, if exploited, could allow an attacker to delete – but not read — targeted files on a system. While this wouldn’t lead to a loss of confidentiality of data, Microsoft notes it would have a major impact on data integrity and availability.
An attacker trying to access a file based on a filename can identify a link or shortcut that resolves to an unintended resource. The attack complexity is low, says Microsoft. - CVE 2025-21418, a Windows Ancillary Function Driver for WinSock escalation of privilege vulnerability due to a buffer overflow. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges, Microsoft warns.
Affected are Windows Server 2008, 2012, 2016, 2019, 2022, and 2025.
Of the pair, two experts say the WinSock hole is more serious.
“With SYSTEM-level access, attackers could install programs, view, change, or delete data, or create new accounts with full user rights, compromising the security and integrity of corporate systems,” noted Mike Walters, president of patch management provider Action1.
Tyler Reguly, associate director of security R&D at Fortra, agreed. “While both vulnerabilities are rated Important by Microsoft and have CVSS (Common Vulnerability Scoring System) scores in the 7.x range, I would treat the Windows AFD for WinSock vulnerability as critical when it comes to patching, given that it has seen active exploitation,” he said in an interview.
This vulnerability has the potential to hit all three parts of the CIA (data confidentiality, integrity, and availability) triad, he added.
Microsoft didn’t detail how or how widely these two vulnerabilities are being exploited.
“Any time you [as a CISO] see something experiencing active exploitation, you want to make sure your organization is responding as quickly as possible,” Reguly said.
Walters also drew attention to CVE-2025-21376, a zero day remote code execution vulnerability in WinServer’s Lightweight Directory Access Protocol (LDAP). Although not exploited yet, and with attack complexity described as High, Microsoft rates this vulnerability as critical.
“This is a critical remote code execution vulnerability that affects the LDAP service that is integrated with Windows Active Directory,” Walters said in an email. “An unauthenticated attacker could exploit this vulnerability over the network to execute arbitrary code, potentially leading to a full system compromise. Because Active Directory is the foundation for authentication and authorization in enterprise networks, exploiting this vulnerability could allow attackers to access sensitive information, disrupt services, and pivot to other systems on the network.”
Successful exploitation of this vulnerability requires an attacker to win a race condition, Microsoft noted, which happens when two or more threads try to change shared data at the same time. An unauthenticated attacker could send a specially crafted request to a vulnerable LDAP server, it said, and “successful exploitation could result in a buffer overflow which could be leveraged to achieve remote code execution.”
Action1 also drew attention to three zero-day vulnerabilities (CVE-2025-21335, CVE-2025-21334, and CVE-2025-21333) in Windows Hyper-V NT Kernel Integration Virtual Service Provider (VSP).
Organizations relying on Hyper-V include data centers, cloud providers, enterprise IT environments, and development platforms. “An attacker with low privileges can execute code with SYSTEM privileges, gaining control over the host system,” Action1 noted. Infosec pros in organizations that use Hyper-V should prioritize patching for these vulnerabilities and monitor for possible unusual activity.
This month’s patches also included a fix (CVE-2025-21186) for Microsoft Access and one for Microsoft Dynamics 365 Sales (CVE-2025-21177).
CISOs should also be aware of a fix for a hash disclosure vulnerability in NTLM (CVE-2025-21377). So far it hasn’t been exploited.
However, Walters noted that this vulnerability results in the disclosure of users’ NTLMv2 hashes upon minimal user interaction, such as single-clicking or right-clicking a malicious file. It is considered more likely to be exploited due to public disclosure.
“Attackers who obtain NTLMv2 hashes can perform pass-the-hash attacks, impersonating users to gain unauthorized access to network resources, potentially compromising sensitive data and systems,” he said. “In addition to applying the patch, CISOs should evaluate the use of NTLM on their networks, consider implementing stronger authentication mechanisms such as Kerberos, and provide user training to prevent interactions with suspicious files.”
Organizations still vary widely in their patching procedures, Reguly added. More mature infosec departments test patches in their lab, rolling them out and using vulnerability scans to make sure everything is patched. Smaller teams are hard-pressed to find the time to do testing, so take longer to install patches and leave themselves more open to attack.
Smaller organizations should “take a breath [when patches are released] and then take a look at your [patch and vulnerability management] tooling,” Reguly noted. “A lot of the time, tooling plays a large role in how well an organization works. There’s a lot of checkbox solutions out there that are cheaper on paper and they may not be giving you the big picture.”
Patch management tools will tell the CISO if a patch has been applied, he said, but patches don’t always solve a vulnerability or tell whether a system is properly configured. Vulnerability management tools ensure that a vulnerability has truly been closed, he said.