Microsoft Fixes Another Two Actively Exploited Zero-Days

Posted on by Admin
Microsoft Fixes Another Two Actively Exploited Zero-Days

Related Post


Microsoft has been forced to issue security updates for four more zero-day vulnerabilities, including two currently under active exploitation.

The tech giant’s February Patch Tuesday update round features fixes for over 50 CVEs, including 22 remote code execution (RCE) bugs, 19 elevation of privilege (EoP) flaws and two security feature bypass vulnerabilities.

The CVEs under active exploitation include CVE-2025-21391, a Windows Storage EoP bug with a CVSS score of 7.1.

“At first glance, it ‘only’ allows deleting targeted files, yet the real power lies in pairing it with code execution to escalate privileges. It poses no threat to confidentiality but can strike hard at integrity and availability – leaving servers crippled if key data is removed,” explained Saeed Abbasi, manager of vulnerability research at Qualys Threat Research Unit (TRU).

“Technically, the bug leverages an arbitrary file/folder deletion in Windows, allowing attackers to remove a crucial system item and recreate it with weak permissions. This tricks Windows into running attacker-controlled content, ultimately granting system-level access. In other words, don’t dismiss this as a minor bug: it’s a stealthy stepping stone to full control of a system.”

Read more on Patch Tuesday: Microsoft Patches Eight Zero-Days to Start the Year

The second actively exploited zero-day vulnerability is CVE-2025-21418 – another EoP bug, but this time in the Windows Ancillary Function Driver (AFD) for WinSock. It applies to all Windows versions containing the vulnerable AFD.sys driver, including Windows 10, Windows 11, Windows Server 2016 and later, according to Action1 co-founder, Alex Vovk.

“Successful exploitation grants system privileges, the highest level in Windows, allowing an attacker to install programs, manipulate data, create accounts with full user rights and modify system configurations and security settings,” he added.

“Potential attack paths include gaining initial access through social engineering or malware, leveraging the vulnerability to escalate privileges. If combined with an RCE vulnerability, an attacker could remotely compromise a system, elevate privileges to system, disable security tools to evade detection and execute multi-stage attacks to infiltrate secure environments.”

The two publicly disclosed zero-days which so far haven’t been exploited in the wild are:

  • CVE-2025-21194 – a Microsoft Surface security feature bypass bug which relates to “virtual machines within a Unified Extensible Firmware Interface (UEFI) host machine,” according to Microsoft. On certain hardware it may be possible to bypass the UEFI and compromise the hypervisor and secure kernel
  • CVE-2025-21377 – an NTLM hash disclosure spoofing vulnerability which could allow a remote attacker to login masquerading as a legitimate user

Image credit: Ken Wolter / Shutterstock.com



Source link