February Patch Tuesday: Urgent Action Needed for Two Actively Exploited Windows Server Vulnerabilities

February Patch Tuesday addresses two actively exploited Windows Server vulnerabilities: CVE-2025-21391 (Windows Storage) and CVE-2025-21418 (WinSock privilege escalation), with the latter posing a critical risk. CISOs should also prioritize patches for LDAP remote code execution, NTLM hash disclosure, and Hyper-V vulnerabilities, which could lead to full system compromise. Experts emphasize the need for robust patch and vulnerability management to ensure security beyond just applying updates.

February Patch Tuesday: Urgent Action Needed for Two Actively Exploited Windows Server Vulnerabilities

CISOs should prioritize patches for LDAP, NTLM, and Hyper-V vulnerabilities, experts advise.

Security teams must promptly address two actively exploited vulnerabilities in Windows as part of their February Patch Tuesday updates:

• CVE-2025-21391 – A Windows Storage privilege escalation flaw allowing attackers to delete—but not read—specific files. While data confidentiality remains intact, Microsoft warns of significant risks to data integrity and availability. The attack is considered low-complexity.
• CVE-2025-21418 – A Windows Ancillary Function Driver for WinSock privilege escalation vulnerability caused by a buffer overflow. If exploited, an attacker could gain SYSTEM privileges, giving them the ability to install programs, alter data, or create new accounts.

Both vulnerabilities affect Windows Server versions from 2008 through 2025. While Microsoft rates them as Important, security experts caution that the WinSock vulnerability is particularly critical due to active exploitation.

Additional High-Risk Vulnerabilities

• CVE-2025-21376 (LDAP Zero-Day) – A critical remote code execution flaw in Windows Server’s LDAP service. Though not yet exploited, an unauthenticated attacker could exploit it over a network to gain complete system control. Given Active Directory’s role in enterprise authentication, this could lead to data breaches and service disruptions.
• Three Zero-Day Flaws in Windows Hyper-V (CVE-2025-21335, CVE-2025-21334, CVE-2025-21333) – These vulnerabilities allow low-privileged attackers to execute code with SYSTEM privileges, compromising the host system. Organizations using Hyper-V for cloud services, data centers, and enterprise IT should prioritize these patches and monitor for suspicious activity.
• NTLM Hash Disclosure (CVE-2025-21377) – While not yet exploited, this vulnerability leaks NTLMv2 hashes with minimal user interaction (e.g., clicking or right-clicking a malicious file). Attackers can leverage these hashes for pass-the-hash attacks, potentially gaining unauthorized access to sensitive systems. Experts recommend patching, reviewing NTLM usage, and considering Kerberos authentication as a stronger alternative.

Patch Management Challenges

Organizations vary in their patching strategies. Larger security teams test updates in a controlled environment before deployment, while smaller organizations often struggle with timely patching, leaving them more vulnerable.

Security experts advise CISOs to evaluate their patch and vulnerability management tools. Some solutions confirm that patches are installed but may not verify if the vulnerability is truly mitigated. A combination of patch management and vulnerability assessment tools ensures comprehensive security.