On February 11, 2025, Microsoft released patches for 63 security vulnerabilities, including two critical zero-day flaws: CVE-2025-21418 and CVE-2025-21391.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added both critical vulnerabilities to its Known Exploited Vulnerabilities catalog, requiring federal agencies to implement patches by March 4, 2025.

CVE-2025-21418, a buffer overflow vulnerability, is particularly concerning as it allows local exploits to gain SYSTEM level privileges.

Another actively exploited vulnerability, CVE-2025-21391, is a Windows Storage Elevation of Privilege flaw that could lead to file deletion and full system takeover.

Additionally, Microsoft highlighted two publicly known vulnerabilities that have not yet been exploited: CVE-2025-21194, affecting Surface devices, and CVE-2025-21377, which could leak NTLMv2 hashes.

The updates include critical vulnerabilities related to remote code execution, with remote code execution vulnerabilities making up 38.2% of the patched issues.

Categories of vulnerabilities fixed include 19 Elevation of Privilege, 22 Remote Code Execution, and several others, indicating a wide range of security concerns.

In addition to Microsoft, Adobe has also released security updates for 45 vulnerabilities across various products, including critical patches for Adobe Commerce and Illustrator.

Other vendors, including Apple and Google, have also issued updates this month to address various vulnerabilities, underscoring the ongoing need for vigilance in cybersecurity.

Tenable recommends immediate patching of systems and regular vulnerability scanning to maintain security, highlighting the importance of proactive measures.

This month's update is notably less extensive than January's record-breaking release, reflecting a more typical volume of fixes.

Microsoft emphasizes that organizations should prioritize addressing these vulnerabilities to safeguard their systems from potential attacks.