Microsoft takes it easy on February’s Patch Tuesday • The Register

Patch Tuesday Microsoft’s February patch assortment is mercifully smaller than January’s mega-dump. However do not get too relaxed – some deserve shut consideration, and different distributors have stepped in with a lot extra fixes.

Of the 63 patches (together with six launched earlier within the month) Microsoft introduced, two are already being exploited.

Each require attackers to be native and authenticated. One is CVE-2025-21418: A CVSS 7.8-scored elevation of privilege vulnerability within the Home windows Ancillary Perform Driver for Winsock that permits an attacker to execute a specifically crafted program to realize SYSTEM-level privileges. The flaw impacts machines working Home windows 10, 11, and numerous variations of Home windows Server.

The opposite: CVE-2025-21391, a CVSS 7.1-rated elevation of privilege vulnerability in Home windows Storage meaning an area attacker can delete recordsdata beneath restricted and obscure circumstances. As Home windows Storage is current in Home windows Server, that raises the likelihood that knowledge apps depend on might be deleted.

Microsoft additionally detailed two points which can be publicly recognized, even when they have not but been exploited. These of you with Floor package – a laptop computer or pill – might want to contemplate fixing CVE-2025-21194, a 7.1-rated vulnerability meaning some PCs are inclined to compromise of the hypervisor and the safe kernel.

Hypervisor compromises are very nasty, however Microsoft says exploiting this flaw “requires a number of circumstances to be met, resembling particular software habits, consumer actions, manipulation of parameters handed to a perform, and impersonation of an integrity stage token.”

The opposite recognized vulnerability is CVE-2025-21377, which may leak a consumer’s NTLMv2 hash. What makes this CVSS 6.5 flaw notably annoying is that the consumer does not have to do a lot—merely deciding on the file (single-click), right-clicking to examine it, or performing one other motion in need of opening or executing it might set off the vulnerability.

Microsoft’s highest-scored February flaw is CVE-2025-21198, which earned a 9.0 CVSS ranking. This one may have critical penalties for high-performance computing infrastructure by permitting distant code execution. The attacker would want entry to the community connecting machines in a focused HPC cluster, however as soon as exploited, this flaw may lengthen to different clusters and nodes throughout the similar community.

“An attacker may exploit this vulnerability by sending a specifically crafted HTTPS request to the focused head node or Linux compute node granting them the flexibility to carry out RCE on different clusters or nodes linked to the focused head node,” Microsoft warned.

Excel acquired 5 patches this month – all rated 7.8 – with one deemed a crucial patching precedence by Redmond and 4 classed as necessary. CVE-2025-21381 is the one Microsoft needs you to repair first because it permits distant code execution, although technically labeled as an area assault. The “distant” side refers to how the attacker delivers the malicious file to abuse the bug. On this case, an attacker may use social engineering to trick a sufferer into opening a specifically crafted file, resulting in arbitrary code execution.

Microsoft additionally urges consideration to CVE-2025-21379, a flaw within the DHCP Shopper Service for all builds of Home windows. The 7.1-rated bug is difficult to use and requires an attacker to completely map the community and execute a machine-in-the-middle (MITM) assault with precision. If an attacker can do this, they might be deep in your infrastructure by the point they get round to focusing on this flaw.

Technically CVE-2025-21177, a CVSS 8.7 flaw that permits an elevation of privileges assault towards Dynamics 365, can be rated crucial by Microsoft. Fortunately, nevertheless, Redmond has already absolutely mitigated this vulnerability, and there is no motion required from customers.

When you’re a Home windows Telephony consumer, six patches await – all ranked as necessary by Redmond and with CVSS scores of 8.8. For Workplace customers, Microsoft has patched a number of vulnerabilities, together with a few distant code execution flaws and a spoofing vulnerability affecting the suite.

Different distributors patch, too

It would not be a Patch Tuesday with out Adobe including to the load with 45 patches – though unusually there is no patches for Acrobat this month.

31 of the patches apply to Adobe Commerce, to repair cross-site scripting (XSS) bugs, safety characteristic bypasses, and Vital-rated code execution flaws. Customers of the open supply Magneto software program ought to prioritize these updates, as that undertaking stays a frequent goal of assaults.

InDesign will get seven bug fixes, 4 of them rated crucial, whereas Illustrator’s three critical-rated bugs may result in arbitrary code execution when opening a malicious file.

Substance 3D and InCopy each obtain a single critical-rated code execution repair, whereas Photoshop is patched for an important-rated privilege escalation flaw, relevant to macOS on Arm.

SAP pushed out 21 particular person patches, ranging in CVSS rating from 8.8 to three.1. The majority apply to NetWeaver, together with a cross-site scripting situation. Moreover, SAP’s Enterprise Mission Connection will get a patch that fixes a number of issues.

Fortinet has issued safety updates for a number of merchandise, notably addressing a critical authentication bypass vulnerability in FortiOS and FortiProxy. With a CVSS rating of 9.6, this one appears like a powerful candidate to be utilized in your subsequent change window. ®