Patch Tuesday February 2025

CVE-2025-21418 - 7.8 - Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability 

Top of the list for things to patch this month is a local privilege escalation that threat actors are actively exploiting in the wild. No information is provided on which threat actors or how they are using it, but what we do know is that an attacker exploiting this vulnerability will be able to gain SYSTEM-level permissions on the affected host. 

As this is a local exploit, it does mean that an attacker or malicious insider must already have access to the target machine, typically through a phishing attack, malicious document, or another remote code execution vulnerability. 

Despite its relatively low score of 7.8 compared to a Critical 9.8, local privilege escalation vulnerabilities are valuable to attackers as they allow them to disable security tooling, dump credentials, or move laterally across the network to exploit the increased access. 

CVE-2025-21377 - 6.5 - NTLM Hash Disclosure Spoofing Vulnerability

Another CVE to patch sooner rather than later is a zero-day that was discovered and disclosed in December 2024, with Microsoft announcing at the time that patches would not be available until 2025. Tracked as CVE-2025-21377, this vulnerability allows a threat actor to steal a victim's NTLM credentials by sending them a malicious file. The user doesn't have to open or run the executable, but simply viewing the file in Explorer could be enough to trigger the vulnerability. 

This specific vulnerability is known as an NTLM relay or pass-the-hash attack, and threat actors love this style of attack as it allows them to impersonate users in the network. If an attacker can collect your NTLM hash, they effectively have the encoded version of your password and can log in to workstations, servers, or other Microsoft servers as if they had your username and password.

Preventing outbound SMB traffic can help limit the exposure, as this is such a prevalent technique Microsoft has specific guidance available on their website on Mitigating Pass-the-Hash (PtH) attacks

CVE-2025-21400 - 8.0 - Microsoft SharePoint Server Remote Code Execution Vulnerability

Microsoft SharePoint is a web-based platform that integrates with Microsoft Office, used to store, organize, and share information from any device. Details around this remote code execution vulnerability in SharePoint suggest that an attacker needs to be authenticated to exploit it.

Exploiting this vulnerability requires a client to connect to a malicious, attacker-controlled server, and with this access, an attacker could achieve code execution on the client. In a network-based attack, if the attacker has access to a client that belongs to the “Site Owners” group, meaning they have full control of the client system, they can write injectable code to send to the SharePoint server that amounts to code execution.

CVE-2025-21408 - 8.8 - Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability refers to a potential security issue that, if exploited, could allow an attacker to execute arbitrary code in the context of the current user.

Vulnerabilities such as these are often attributed to the way Microsoft Edge (Chromium-based) handles objects in memory. In relation to this specific vulnerability, successful exploitation requires a victim user to click on a malicious link so that the attacker can initiate remote code execution (RCE) on Edge’s renderer process – which is part of a multi-process architecture that handles much of the code that runs on a webpage, including JavaScript, HTML, and CSS. 

The idea is that sites and sessions are isolated so the misbehavior of one site doesn’t affect another in the same browser session.

An attacker could potentially do a number of things after exploiting this vulnerability, including injecting malicious scripts into the running browser session, exploiting cross-site-scripting (XSS) vulnerabilities, stealing credentials from browser sessions, or deploying script-based malware that can be used to gain access to the user's machine.

Microsoft has released a patch for this vulnerability, which users are encouraged to download.

CVE-2025-21391 - 7.1 - Windows Storage Elevation of Privilege Vulnerability 

In today’s Patch Tuesday release by Microsoft, we see two vulnerabilities listed as ‘exploited in the wild.’ One is a Windows Storage Elevation of Privilege Vulnerability, given the Common Vulnerabilities and Exposure ID number CVE-2025-21391. With a CVSS score of 7.1, the CVSS metrics outline that this vulnerability doesn't affect confidentiality, so no sensitive data can be accessed. However, it can severely affect data integrity and availability.

The impact of this vulnerability is classified as an Escalation of Privilege, indicating that the successful exploitation could allow an attacker to assume higher privileges on the compromised system. However, Microsoft has outlined that if the attacker successfully exploited this vulnerability, they could only delete targeted files on a system. Microsoft has released patches to mitigate this vulnerability. It's recommended for administrators to apply these immediately.

CVE-2025-21376 - 8.1 - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability

LDAP (Lightweight Directory Access Protocol) is a critical component of Windows environments, serving as the backbone for authentication, directory services, and centralized identity management. A recently disclosed critical vulnerability in Microsoft’s LDAP implementation poses a severe risk, allowing remote code execution due to a combination of race conditions, integer underflow, and heap-based buffer overflows. Exploiting this flaw requires an attacker to chain these exploits together by sending specially crafted requests to a vulnerable LDAP server, potentially gaining full control over the system. 

A compromise could lead to lateral movement, privilege escalation, and widespread network breaches because LDAP is integral to Active Directory, which underpins authentication and access control in enterprise environments. This vulnerability follows a history of LDAP-related exploits, such as privilege escalation flaws and buffer overflow attacks, reinforcing the importance of securing directory services. Organizations must prioritize patching and hardening LDAP configurations to mitigate exploitation risks and protect their Windows infrastructure from potential attacks.

This vulnerability represents a serious security risk to systems running vulnerable Microsoft LDAP servers. Due to its high value, attackers will spend more time creating an exploit for this vulnerability, which is an echoed theory by Microsoft, as it has been stated that this vulnerability is more likely to be exploited. Administrators are strongly urged to promptly apply the available security patches and implement recommended mitigation steps to protect against exploitation.

CVE-2025-21379 - 7.1 - DHCP Client Service Remote Code Execution Vulnerability

The DHCP Client Service is a crucial component in Windows environments, responsible for dynamically assigning IP addresses and network configurations to devices. A newly identified critical vulnerability in this service allows for remote code execution due to a Use After Free flaw, which can lead to memory corruption and arbitrary code execution. While the attack complexity is high, exploitation requires the attacker to position themselves in the network path between the target and its requested resource, executing a machine-in-the-middle (MITM) attack to intercept or manipulate DHCP responses.

Additionally, the attack vector is classified as adjacent, meaning the attacker must be on the same local network segment, such as a shared Wi-Fi or Ethernet switch, making remote exploitation over a WAN infeasible. While this brings the criticality of the vulnerability down, it is still feasible for attackers to want to put this in their attacker's toolkit, and given DHCP’s fundamental role in network connectivity, a successful attack could compromise endpoint security, facilitate lateral movement, and enable further network exploitation. This vulnerability underscores the importance of securing DHCP communications through network segmentation, encryption, and prompt patching to mitigate potential threats.

CVE-2025-21381 - 7.8 - Microsoft Excel Remote Code Execution Vulnerability

Microsoft Excel is a widely used productivity tool in enterprise environments, making vulnerabilities within it highly valuable for attackers, especially for phishing and malware distribution. A newly disclosed critical vulnerability, CVE-2025-21381, allows for remote code execution due to an Untrusted Pointer Dereference flaw. This flaw occurs when a program accesses a memory location using a pointer that has not been properly validated and can be attacker-controlled. It can lead to memory corruption and arbitrary code execution when processing maliciously crafted Excel files. 

Exploiting this vulnerability would enable an attacker to execute malicious code on a victim’s system simply by convincing them to open a compromised document. This method is often used in spear-phishing campaigns and malware distribution, such as Emotet and Dridex. 

Excel vulnerabilities are particularly dangerous because Excel macros and embedded scripts have historically been a significant attack vector for APT groups, ransomware operators, and financial fraud campaigns, often bypassing traditional security defenses. Given its widespread use in corporate environments, this vulnerability highlights the ongoing risk posed by weaponized office documents, reinforcing the need for patching, disabling macros by default, and implementing advanced email filtering to prevent exploitation.