Microsoft Releases Fixes for 63 Flaws and Two Actively Used Zero-Day Vulnerabilities
On February 11th, 2025, Microsoft released a new security update that aims to fix total of 63 security risks, and two zero-day vulnerabilities that are being exploited. Of the 63 identified vulnerabilities, three are classified as critical, 57 are deemed important, and one is considered moderate. Further updates aim to address existing issues affecting Edge Browser since the recent update in previous months. Based on Microsoft’s official website, the critical updates involve fixing Privilege escalation vulnerability. The most severe of the flaws addressed by Microsoft in this month’s update is CVE-2025-21198 (CVSS score: 9.0), a remote code execution (RCE) vulnerability in the High Performance Compute (HPC) Pack.
“An attacker could exploit this vulnerability by sending a specially crafted HTTPS request to the targeted head node or Linux compute node granting them the ability to perform RCE on other clusters or nodes connected to the targeted head node,” Microsoft said.
Technical Description
CVE-2025-21418 – Windows Ancillary Function Driver (AFD.sys) Elevation of Privilege Vulnerability:
This is an elevation of privilege vulnerability in the Windows Ancillary Function Driver for WinSock (AFD.sys). An authenticated attacker could exploit this flaw by running a specially crafted program, potentially gaining SYSTEM-level privileges. This vulnerability has been actively exploited. The Update Corrects how AFD.sys handles objects in memory to prevent privilege escalation.
CVE-2025-21391 – Windows Storage Elevation of Privilege Vulnerability:
This elevation of privilege vulnerability affects Windows Storage. An attacker could exploit it to delete targeted files on a system, which might lead to service disruptions. This vulnerability has also been actively exploited. The update reconfigured windows storage file operation handling to close the security gap.
Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability (CVE-2025-21376):
This critical vulnerability affects the Windows LDAP component. An unauthenticated attacker can exploit this flaw by sending specially crafted requests to a vulnerable LDAP server, potentially allowing attackers to execute arbitrary code remotely. The update corrects how LDAP handles specific requests.
DHCP Client Service Remote Code Execution Vulnerability (CVE-2025-21379):
This is a critical remote code execution (RCE) vulnerability affecting the Windows Dynamic Host Configuration Protocol (DHCP) Client Service. This vulnerability allows an attacker to execute arbitrary code on a target system by intercepting and potentially modifying communications between the Windows DHCP client and the requested resource. Exploitation requires the attackers to perform a machine-in-the-middle (MITM) attack, positioning themselves between the target and the resource.
Additionally, the update enhances security by adding more drivers to the Windows Kernel Vulnerable Driver Blocklist, mitigating potential Bring Your Own Vulnerable Driver (BYOVD) attacks.
Conclusion
The critical remote code execution (RCE) and OS command injection vulnerabilities in Ivanti products pose serious risks to organizations using affected versions. Exploiting these flaws could allow attackers to take control of systems, execute arbitrary code, access sensitive data and compromise system integrity. To mitigate these threats, organizations must immediately apply patches and update to the latest versions to secure their systems against potential exploitation.
Impact
Microsoft update (KB5051987) delivers critical security fixes, notably patching CVE-2025-21418 (a privilege escalation flaw in AFD.sys) and CVE-2025-21391 (a Windows Storage vulnerability enabling unauthorized file deletions). These fixes mitigate risks of malware deployment, privilege abuse, and data loss. The update also enhances cursor stability, File Explorer functionality, and AI-powered Windows Studio Effects for improved user experience. However, it introduces compatibility issues, including OpenSSH service failures and Citrix SRA v2411 installation problems, requiring caution in enterprise deployments. Overall, it strengthens Windows security posture while improving system performance and usability.
IOC and Context Details
| Topics | Details |
|---|---|
| Tactic Name | Elevation of Privilege |
| Technique Name | Exploitation of privilege escalation |
| Sub Technique Name | Exploitation of vulnerability in AFD.sys |
| Attack Type | Local Elevation of Privilege |
| Targeted Applications | Microsoft, Edge explorer. AFD.sys |
| Region Impacted | Global |
| Industry Impacted | All |
| IOC’s | NA |
| CVE | CVE-2025-21391, CVE-2025-21418, CVE-2025–21381, CVE-2025–21376, CVE-2025–21379 |
Recommended Actions
- Apply appropriate patches and mitigations from Microsoft after testing.
- Create and uphold a documented vulnerability management process, with an annual review included.
- Perform automated application patch management on enterprise assets on a monthly basis, or more frequently as required.
- Implement the Principle of Least Privilege for systems and services.
- Manage default accounts on enterprise assets and software effectively.
- Limit administrator privileges to dedicated admin accounts, using non-privileged accounts for everyday tasks.