Microsoft has released its February 2025 security update package, addressing 63 vulnerabilities across its product ecosystem. Four of these are zero-day vulnerabilities — two already being actively exploited in the wild — making this one of the more urgent monthly patches of 2025. Full details are published in the Microsoft Security Response Center update guide.
Critical Zero-Day Vulnerabilities Under Active Exploitation
The most pressing security threat comes from CVE-2025-21391, a Windows Storage vulnerability with a CVSS score of 7.1. This flaw enables attackers to delete specific system files, potentially causing significant service disruptions. While it does not directly enable data theft, the impact on system availability poses a substantial threat to business operations.
Another actively exploited vulnerability, CVE-2025-21418, affects the Windows AFD.sys driver and carries a CVSS score of 7.8. This flaw enables privilege escalation to SYSTEM level, effectively granting attackers complete control over compromised systems. The combination of active exploitation and elevated privileges makes this vulnerability particularly dangerous for enterprise environments.
Publicly Disclosed Zero-Day Vulnerabilities
Two additional zero-days were publicly disclosed before the patch release. CVE-2025-21194 targets Microsoft Surface devices, potentially compromising UEFI security mechanisms and affecting both hypervisor and kernel integrity. This vulnerability appears to be connected to the PixieFail IPv6 implementation flaws.
The second disclosed vulnerability, CVE-2025-21377, enables NTLM hash exposure through minimal user interaction with malicious files. This authentication bypass could allow attackers to gain unauthorized system access using compromised credentials.
High-Impact Remote Code Execution Vulnerabilities
Among the most severe issues addressed is CVE-2025-21198, a critical vulnerability in High Performance Compute (HPC) with a CVSS score of 9.0. This flaw enables remote code execution across HPC clusters, potentially compromising entire computing infrastructures. While initial network access is required, the lateral movement potential makes it particularly concerning for HPC environments.
The update also patches CVE-2025-21376, an LDAP protocol vulnerability with a CVSS score of 8.1, which could enable remote code execution through race condition exploitation.
Who Is at Risk
This update is critical for the following user and administrator groups:
- all Windows 10 and Windows 11 end users — CVE-2025-21391 and CVE-2025-21418 affect standard Windows installations without requiring administrator rights to trigger;
- enterprise environments running Windows Server with Active Directory — the NTLM hash exposure (CVE-2025-21377) targets authentication in domain environments;
- organizations using Windows LDAP services exposed to internal or external networks (CVE-2025-21376, CVSS 8.1);
- Microsoft Surface device users — CVE-2025-21194 affects Surface-specific UEFI implementations;
- HPC cluster administrators using Microsoft High Performance Compute services (CVE-2025-21198, CVSS 9.0).
Recommended Actions
Security teams should take the following steps immediately:
- deploy February 2025 Patch Tuesday updates via Windows Update or WSUS across all Windows endpoints and servers as a priority — the two actively exploited CVEs (21391, 21418) have confirmed in-the-wild attack chains;
- audit Windows Storage and AFD.sys file-access logs for signs of exploitation attempts since January 2025;
- restrict outbound NTLM authentication using Group Policy to limit exposure to CVE-2025-21377 hash-stealing attacks;
- for HPC environments, isolate cluster management interfaces from general-purpose networks until CVE-2025-21198 patches are confirmed deployed;
- verify Surface firmware updates separately from OS updates — UEFI patches may require a firmware update step outside the standard Windows Update process.
