Microsoft on Tuesday launched fixes for 63 security flaws impacting its software program merchandise, together with two vulnerabilities that it stated has come underneath energetic exploitation within the wild.
Of the 63 vulnerabilities, three are rated Essential, 57 are rated Vital, one is rated Reasonable, and two are rated Low in severity. That is except for the 23 flaws Microsoft addressed in its Chromium-based Edge browser for the reason that launch of final month’s Patch Tuesday update.
The replace is notable for fixing two actively exploited flaws –
- CVE-2025-21391 (CVSS rating: 7.1) – Home windows Storage Elevation of Privilege Vulnerability
- CVE-2025-21418 (CVSS rating: 7.8) – Home windows Ancillary Operate Driver for WinSock Elevation of Privilege Vulnerability
“An attacker would solely be capable to delete focused information on a system,” Microsoft stated in an alert for CVE-2025-21391. “This vulnerability doesn’t permit disclosure of any confidential info, however might permit an attacker to delete knowledge that might embody knowledge that leads to the service being unavailable.”
Mike Walters, president and co-founder of Action1, noted that the vulnerability might be chained with different flaws to escalate privileges and carry out follow-on actions that may complicate restoration efforts and permit menace actors to cowl up their tracks by deleting essential forensic artifacts.
CVE-2025-21418, then again, considerations a case of privilege escalation in AFD.sys that might be exploited to realize SYSTEM privileges.
It is value noting {that a} related flaw in the identical element (CVE-2024-38193) was disclosed by Gen Digital final August as being weaponized by the North Korea-linked Lazarus Group. In February 2024, the tech big additionally plugged a Home windows kernel privilege escalation flaw (CVE-2024-21338) affecting the AppLocker driver (appid.sys) that was additionally exploited by the hacking crew.
These assault chains stand out as a result of they transcend a standard Deliver Your Personal Weak Driver (BYOVD) assault by profiting from a safety flaw in a local Home windows driver, thereby obviating the necessity for introducing different drivers into goal environments.
It is presently not recognized if the abuse of CVE-2025-21418 is linked to the Lazarus Group as nicely. The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has added each the issues to its Identified Exploited Vulnerabilities (KEV) catalog, requiring federal companies to use the patches by March 4, 2025.
Probably the most extreme of the issues addressed by Microsoft on this month’s replace is CVE-2025-21198 (CVSS rating: 9.0), a distant code execution (RCE) vulnerability within the Excessive Efficiency Compute (HPC) Pack.
“An attacker might exploit this vulnerability by sending a specifically crafted HTTPS request to the focused head node or Linux compute node granting them the power to carry out RCE on different clusters or nodes related to the focused head node,” Microsoft stated.
Additionally value mentioning is one other RCE vulnerability (CVE-2025-21376, CVSS rating: 8.1) impacting Home windows Light-weight Listing Entry Protocol (LDAP) that allows an attacker to ship a specifically crafted request and execute arbitrary code. Nonetheless, profitable exploitation of the flaw requires the menace actor to win a race situation.
“On condition that LDAP is integral to Energetic Listing, which underpins authentication and entry management in enterprise environments, a compromise might result in lateral motion, privilege escalation, and widespread community breaches,” Ben McCarthy, lead cybersecurity engineer at Immersive Labs, stated.
Elsewhere, the replace additionally resolves a NTLMv2 hash disclosure vulnerability (CVE-2025-21377, CVSS rating: 6.5) that, if efficiently exploited, might allow an attacker to authenticate because the focused consumer.
Software program Patches from Different Distributors
Along with Microsoft, safety updates have additionally been launched by different distributors over the previous couple of weeks to rectify a number of vulnerabilities, together with —
Source link