Microsoft Patches Two Critical Zero-Day Flaws in February Security Update
February 11, 2025
On February 11, 2025, Microsoft released patches for 63 security vulnerabilities, including two critical zero-day flaws: CVE-2025-21418 and CVE-2025-21391.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added both critical vulnerabilities to its Known Exploited Vulnerabilities catalog, requiring federal agencies to implement patches by March 4, 2025.
CVE-2025-21418, a buffer overflow vulnerability, is particularly concerning as it allows local exploits to gain SYSTEM level privileges.
Another actively exploited vulnerability, CVE-2025-21391, is a Windows Storage Elevation of Privilege flaw that could lead to file deletion and full system takeover.
Additionally, Microsoft highlighted two publicly known vulnerabilities that have not yet been exploited: CVE-2025-21194, affecting Surface devices, and CVE-2025-21377, which could leak NTLMv2 hashes.
The updates include critical vulnerabilities related to remote code execution, with remote code execution vulnerabilities making up 38.2% of the patched issues.
Categories of vulnerabilities fixed include 19 Elevation of Privilege, 22 Remote Code Execution, and several others, indicating a wide range of security concerns.
In addition to Microsoft, Adobe has also released security updates for 45 vulnerabilities across various products, including critical patches for Adobe Commerce and Illustrator.
Other vendors, including Apple and Google, have also issued updates this month to address various vulnerabilities, underscoring the ongoing need for vigilance in cybersecurity.
Tenable recommends immediate patching of systems and regular vulnerability scanning to maintain security, highlighting the importance of proactive measures.
This month's update is notably less extensive than January's record-breaking release, reflecting a more typical volume of fixes.
Microsoft emphasizes that organizations should prioritize addressing these vulnerabilities to safeguard their systems from potential attacks.
Summary based on 8 sources
Get a daily email with more Tech stories
Sources

Krebs on Security • Feb 11, 2025
Microsoft Patch Tuesday, February 2025 Edition
The Register • Feb 12, 2025
February's Patch Tuesday sees Microsoft offer just 63 fixes
BleepingComputer • Feb 11, 2025
Microsoft February 2025 Patch Tuesday fixes 4 zero-days, 55 flaws
The Hacker News • Feb 12, 2025
Microsoft’s Patch Tuesday Fixes 63 Flaws, Including Two Under Active Exploitation