Current events · 2 MIN READ · MATT JASTRAM · FEB 12, 2025 · TAGS: vulnerability prioritization
TL;DR
- February had significantly fewer CVEs than January, but three of them require patching ASAP
- The vulnerabilities can be patched through the normal Windows update process
- However, it’s important to ensure those updates get applied to all impacted systems in a timely manner to prevent additional exploitation
Valentine’s Love: Patch Tuesday Microsoft only published a kindhearted 63 CVEs
For February’s Patch Tuesday, our team took a look at the 63 CVEs released in February. There’s exploitation evidence in the wild; below are three CVEs we recommend remediating immediately based on our team’s analysis.
To address risky vulnerabilities, Expel’s Vulnerability Prioritization service focuses 100% on CVEs with actual exploitation risk. Although we conduct a monthly review of Microsoft’s entire CVE list, we track only a fractional percentage because only a few are actually leveraged by threat actors. Our goal is to ensure our customers’ remediation is focused on significantly reducing the level of effort required to patch.
- Microsoft Windows Storage Elevation of Privilege Vulnerability: Microsoft’s operating system uses Windows Storage to manage how data is stored (via physical and virtual methods). The patch release details that an attacker with local access could traverse the Windows Storage file system and delete targeted files. Microsoft states the vulnerability is already being exploited, and the Cyber Security & Infrastructure Security Agency (CISA) immediately added CVE-2025-21391 to their exploit database. Microsoft doesn’t give many details on what file(s) the attackers are deleting, but they hint deletions can cause the Windows Storage service to stop functioning. Microsoft issued 27 updates from multiple server versions to Windows 10 and 11 endpoints. We recommend fixing it quickly!
- Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability: The WinSock driver is responsible for handling network connections. It’s been a popular driver to exploit over the years. Although Microsoft has been quiet about CVE-2025-21418 exploitation details, their update stated that a successful threat actor could gain SYSTEM privileges. A local attacker with lower privileges to Windows’ Ancillary Function Driver for WinSock could trigger a use-after-free error to manipulate memory allocation, and execute code. CISA noted that it’s being actively exploited, and they added it to their database. There are 37 Microsoft updates that have been provided for this vulnerability. This includes Windows Servers all the way back to 2008, and up to 2022. Again, we recommend taking remediation steps soon.
- NTLM Hash Disclosure Spoofing Vulnerability: We’ve seen plenty of Microsoft Windows New Technology LAN Manager (NTLM)-type attacks where threat actors attempt to leverage NTLM credentials to use a stored version of a password to initiate unauthorized network sessions. This user interaction vulnerability (CVE-2025-21377) could be leveraged via the network, but a threat actor must trick an authorized user into interacting via a social engineering tactic. Microsoft has provided 37 updates for this vulnerability, including Windows Servers all the way back to 2008, and up to 2025. Due to the potential vulnerability impact, we recommend remediating to reduce risk.
The table below provides a holistic view of the number of CVEs Microsoft releases monthly versus the number of vulnerabilities with actual evidence of exploitation. The proportions are quite small, which is why our monthly Patch Tuesday posts only highlight a handful of CVEs with immediate remediation needs. The best use of time is focusing on CVEs with actual exploitation evidence, rather than the massive number of CVEs released.
| Patch month | Total Microsoft CVEs released | % of CVEs with exploitation evidence |
|---|---|---|
| February 2025 | 63 | 3.7% |
| January 2025 | 159 | 2.5% |
| December 2024 | 73 | 4.1% |
| November 2024 | 89 | 0% |
| October 2024 | 117 | 1.7% |
| September 2024 | 79 | 6.3% |
| August 2024 | 102 | 6.7% |
That’s it for this month. If you have any questions about these specific vulnerabilities (or others on the Patch Tuesday list)—or if you’re interested in learning how Expel Vulnerability Prioritization can give you context for your own environment—get in touch.
