1. Executive Summary
On 11 February 2025, Microsoft released Patch Tuesday security updates addressing 55 CVEs, including three Critical remote code execution (RCE) vulnerabilities and four zero-days. Two of the zero-days were confirmed as actively exploited in the wild at the time of release, making rapid remediation a priority for most organisations. The remaining two zero-days were publicly disclosed prior to patch availability, increasing the likelihood of opportunistic exploitation and weaponisation. Microsoft’s public advisories provided limited detail on exploitation chains or threat-actor tradecraft, so defenders should treat these as high-signal patch-and-hunt events rather than IOC-driven investigations.
Primary references: BleepingComputer’s February 2025 Patch Tuesday summary; Tenable’s February 2025 Patch Tuesday analysis.
2. Contextual Background
2.1 Nature of the threat
Microsoft’s February 2025 release patched 55 vulnerabilities (with severity distribution reported as 3 Critical and 52 Important) and included four “zero-day” vulnerabilities (defined by Microsoft as publicly disclosed and/or actively exploited prior to an official fix). See: Tenable’s breakdown and BleepingComputer’s roundup.
Note on counting: Some third-party roundups report different totals because they include additional products (e.g., separate browser releases) or apply different counting methodologies. For example, Rapid7’s analysis discusses exclusions and separate publications that can shift headline numbers.
2.2 Threat-actor attribution (Confidence: Unconfirmed)
Microsoft and major public roundups did not attribute the observed in-the-wild exploitation to a specific threat actor, and did not publish sufficient technical artefacts to support a confident attribution. For both actively exploited CVEs, public reporting repeatedly notes that exploitation details were not disclosed. See: BleepingComputer and Tenable.
2.3 Sector and geographic targeting
Public sources did not identify specific sectors or geographies as primary targets for the two exploited zero-days. Given both are Windows elevation-of-privilege (EoP) flaws, defenders should assume broad applicability across environments where attackers can obtain local execution (initial access via phishing, drive-by, or software supply chain; then privilege escalation).
3. Technical Analysis
3.1 Zero-days addressed (2 exploited, 2 publicly disclosed)
Actively exploited in the wild
- CVE-2025-21418 — Windows Ancillary Function Driver for WinSock (AFD) Elevation of Privilege (EoP). Reported as exploited in the wild at release.
Microsoft Advisory for CVE-2025-21418 | NVD
Analysis: Tenable coverage; Rapid7 commentary. - CVE-2025-21391 — Windows Storage Elevation of Privilege (EoP) with reported in-the-wild exploitation; described as enabling deletion of targeted files.
Microsoft Advisory for CVE-2025-21391 | NVD
Analysis: Tenable coverage; Rapid7 commentary.
Publicly disclosed prior to patch availability
- CVE-2025-21194 — Microsoft Surface Security Feature Bypass; public reporting describes this as a hypervisor/UEFI-related bypass scenario in Surface contexts.
Microsoft Advisory for CVE-2025-21194 | NVD
Context: BleepingComputer summary; Rapid7 analysis. - CVE-2025-21377 — NTLM hash disclosure (Spoofing) vulnerability; publicly disclosed before Patch Tuesday, with public discussion indicating NTLM hash exposure risk via crafted file interactions.
Microsoft Advisory for CVE-2025-21377 | NVD
Disclosure context: 0patch’s disclosure write-up (updated to CVE-2025-21377); severity/likelihood discussion: Tenable analysis.
3.2 Critical RCE vulnerabilities (high priority, especially for exposed services/users)
Public roundups highlighted three Critical RCE issues, including:
- CVE-2025-21376 — Windows LDAP RCE
Microsoft Advisory for CVE-2025-21376 | NVD
Analysis: Tenable; Rapid7. - CVE-2025-21379 — Windows DHCP Client Service RCE
Microsoft Advisory for CVE-2025-21379 | NVD
Analysis: Rapid7. - CVE-2025-21381 — Microsoft Excel RCE (user interaction; preview/inspection scenarios discussed in public analysis)
Microsoft Advisory for CVE-2025-21381 | NVD
Analysis: Rapid7.
3.3 MITRE ATT&CK mapping (observed vs. plausible)
Because Microsoft did not publish exploitation chains or operator TTPs, the mapping below reflects what these vulnerabilities commonly enable rather than confirmed end-to-end campaigns:
- Privilege escalation via exploited local flaws: T1068
- NTLM hash exposure enabling pass-the-hash style authentication abuse: T1550.002
- Destructive/availability impact via targeted file deletion (context-dependent): T1485
4. Impact Assessment
4.1 Severity and scope
The two in-the-wild zero-days (CVE-2025-21418 and CVE-2025-21391) are Windows EoP vulnerabilities that can materially increase attacker capability after initial access (e.g., SYSTEM-level execution, or deletion of protected files). Their CVSS base scores are discussed by major roundups (e.g., Tenable notes 7.8 for CVE-2025-21418 and 7.1 for CVE-2025-21391), but defenders should treat “exploitation detected” as the dominant prioritisation signal. See: Tenable’s scoring and commentary.
For the publicly disclosed issues, Microsoft’s exploitability guidance is commonly communicated via its Exploitability Index categories (e.g., “Exploitation more likely” vs. “less likely”). See: Microsoft’s Exploitability Index reference.
4.2 Victim profile
No victimology was published for the exploited zero-days. The practical risk profile remains broad: Windows endpoints and servers (for the EoP issues), Surface devices (for CVE-2025-21194), and user workstations where Office file-handling workflows expose users to crafted content (for the Excel RCE and NTLM hash disclosure scenarios). See: BleepingComputer; Rapid7.
5. Indicators of Compromise (IOCs)
5.1 IOC table
Microsoft and major public roundups did not publish technical IOCs (hashes/domains/IPs), exploit artefacts, or intrusion sets associated with the in-the-wild exploitation of CVE-2025-21418 and CVE-2025-21391. Public reporting explicitly notes the lack of exploitation detail. See: BleepingComputer’s coverage; Tenable’s notes on limited exploitation detail.
| Type | Value | Context/Notes | Source |
|---|---|---|---|
| IOC | N/A | No public IOCs released for the in-the-wild exploitation at the time of Patch Tuesday reporting. | BleepingComputer |
5.2 Detection guidance
- Exploit-to-EoP hunt: look for sequences where an unprivileged context quickly results in SYSTEM-level process creation, token changes, or service manipulation (environment-specific baselines required).
- File deletion abuse (CVE-2025-21391): monitor for unexpected deletion of protected or operationally critical files, especially where deletions align with suspicious interactive sessions or post-compromise tooling.
- NTLM hash exposure (CVE-2025-21377): hunt for anomalous outbound SMB/WebDAV authentication attempts and unexpected NTLM authentication to untrusted hosts immediately after file interaction; this risk was discussed in public disclosure context. See: 0patch’s disclosure write-up.
6. Incident Response Guidance
6.1 Containment, eradication, and recovery
- Patch first where exploitation is confirmed: prioritise updates addressing CVE-2025-21418 and CVE-2025-21391. These were explicitly reported as exploited in the wild. See: BleepingComputer; Tenable.
- Assume post-compromise leverage: EoP exploitation is frequently used to disable security controls, dump credentials, deploy ransomware, or establish durable persistence. Review recent admin-level actions and EDR tamper events around the patch window.
- Reduce exposed attack surface: restrict lateral management protocols, tighten local admin membership, and ensure credential-protection controls are enabled where feasible (implementation varies by estate).
6.2 Forensic artefacts to collect and preserve
- EDR telemetry around privilege transitions (process tree, token integrity changes, service installs/changes).
- Windows event logs relevant to authentication and service activity (Security, System, PowerShell logs if enabled).
- File system auditing output for high-value paths (where enabled), especially abnormal deletion bursts.
6.3 Lessons learned
- Where vendor/public reporting is sparse, mature programmes should pair “patch now” with “hunt now” using hypothesis-driven detections rather than waiting for IOCs.
7. Threat Intelligence Contextualisation
7.1 Similar incident patterns
In-the-wild Windows EoP vulnerabilities are frequently leveraged after initial access to accelerate ransomware deployment and credential theft. While February 2025 reporting did not provide a specific actor link, Rapid7 highlighted similarities between AFD-related EoP issues and past abuse patterns. See: Rapid7’s AFD discussion.
7.2 MITRE ATT&CK lifecycle mapping (high-level)
| Tactic | Technique ID | Technique Name | Observed Behaviour |
|---|---|---|---|
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation | Plausible use for CVE-2025-21418 and CVE-2025-21391 following initial access; Microsoft confirmed exploitation but did not publish operator TTPs. |
| Credential Access | T1550.002 | Use Alternate Authentication Material: Pass the Hash | Plausible follow-on for NTLM hash disclosure scenarios (CVE-2025-21377), based on public disclosure context rather than confirmed campaigns. |
| Impact | T1485 | Data Destruction | Plausible impact if attackers weaponise file deletion capability (CVE-2025-21391) against availability-critical files. |
8. Mitigation Recommendations
8.1 Actionable hardening and configuration steps
- Accelerate patch deployment for exploited and publicly disclosed CVEs, with explicit SLAs for Windows endpoints and servers.
- Reduce NTLM exposure where feasible (credential protections and tighter outbound authentication policies), particularly relevant to hash disclosure scenarios discussed publicly for CVE-2025-21377. See: 0patch disclosure context.
- Enable Attack Surface Reduction (ASR) rules to reduce Office-based attack chains (where operationally feasible). Microsoft documentation: ASR rules reference (including “Block all Office applications from creating child processes”).
8.2 Patch management prioritisation
- Priority 0 (Immediate): CVE-2025-21418 and CVE-2025-21391 (exploitation detected). See: BleepingComputer; Tenable.
- Priority 1 (Urgent): Critical RCEs (CVE-2025-21376, CVE-2025-21379, CVE-2025-21381), especially where services/users are exposed to untrusted networks/content. See: Rapid7’s critical RCE summary.
- Priority 2 (High): Publicly disclosed zero-days (CVE-2025-21194, CVE-2025-21377) to reduce the window for opportunistic exploitation. See: BleepingComputer; 0patch disclosure update.
9. Historical Context & Related Vulnerabilities
Public analysis noted historical recurrence of AFD/WinSock driver EoP issues and broader trends in NTLM-related weaknesses. For example, Tenable contextualised AFD/WinSock EoP patterns and referenced previous related vulnerabilities. See: Tenable’s historical notes. For the NTLM hash disclosure theme, disclosure discussion and remediation lag were documented publicly by 0patch. See: 0patch write-up.
10. Future Outlook
- Expectation of rapid copycat activity: publicly disclosed issues (and high-visibility Patch Tuesday “exploitation detected” flags) frequently drive short-term scanning and low-effort weaponisation.
- Privilege escalation remains a staple: Windows EoP vulnerabilities continue to be valuable for post-compromise operations (ransomware, credential access, defence evasion), even when initial access vectors vary.
- Defender posture matters: environments combining fast patching, strong endpoint controls, and robust identity protections consistently reduce attacker dwell time in these scenarios.
11. Further Reading
- Microsoft Security Update Guide (February 2025 release context)
- BleepingComputer: February 2025 Patch Tuesday fixes 4 zero-days
- Tenable: Microsoft’s February 2025 Patch Tuesday addresses 55 CVEs
- Rapid7: Patch Tuesday – February 2025
- 0patch: NTLM hash disclosure (later assigned CVE-2025-21377)
- Microsoft Defender: Attack surface reduction rules reference
- Microsoft: Exploitability Index definitions