Microsoft on Tuesday released fixes for 63 security flaws impacting its software products, including two vulnerabilities that it said has come under active exploitation in the wild.
Of the 63 vulnerabilities, three are rated Critical, 57 are rated Important, one is rated Moderate, and two are rated Low in severity. This is aside from the 23 flaws Microsoft addressed in its Chromium-based Edge browser since the release of last month’s Patch Tuesday update.
The update is notable for fixing two actively exploited flaws –
- CVE-2025-21391 (CVSS score: 7.1) – Windows Storage Elevation of Privilege Vulnerability
- CVE-2025-21418 (CVSS score: 7.8) – Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
“An attacker would only be able to delete targeted files on a system,” Microsoft said in an alert for CVE-2025-21391. “This vulnerability does not allow disclosure of any confidential information, but could allow an attacker to delete data that could include data that results in the service being unavailable.”
Mike Walters, president and co-founder of Action1, noted that the vulnerability could be chained with other flaws to escalate privileges and perform follow-on actions that can complicate recovery efforts and allow threat actors to cover up their tracks by deleting crucial forensic artifacts.
CVE-2025-21418, on the other hand, concerns a case of privilege escalation in AFD.sys that could be exploited to achieve SYSTEM privileges.
It’s worth noting that a similar flaw in the same component (CVE-2024-38193) was disclosed by Gen Digital last August as being weaponized by the North Korea-linked Lazarus Group. In February 2024, the tech giant also plugged a Windows kernel privilege escalation flaw (CVE-2024-21338) affecting the AppLocker driver (appid.sys) that was also exploited by the hacking crew.
These attack chains stand out because they go beyond a traditional Bring Your Own Vulnerable Driver (BYOVD) attack by taking advantage of a security flaw in a native Windows driver, thereby obviating the need for introducing other drivers into target environments.
It’s currently not known if the abuse of CVE-2025-21418 is linked to the Lazarus Group as well. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added both the flaws to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the patches by March 4, 2025.
The most severe of the flaws addressed by Microsoft in this month’s update is CVE-2025-21198 (CVSS score: 9.0), a remote code execution (RCE) vulnerability in the High Performance Compute (HPC) Pack.
“An attacker could exploit this vulnerability by sending a specially crafted HTTPS request to the targeted head node or Linux compute node granting them the ability to perform RCE on other clusters or nodes connected to the targeted head node,” Microsoft said.
Also worth mentioning is another RCE vulnerability (CVE-2025-21376, CVSS score: 8.1) impacting Windows Lightweight Directory Access Protocol (LDAP) that permits an attacker to send a specially crafted request and execute arbitrary code. However, successful exploitation of the flaw requires the threat actor to win a race condition.
“Given that LDAP is integral to Active Directory, which underpins authentication and access control in enterprise environments, a compromise could lead to lateral movement, privilege escalation, and widespread network breaches,” Ben McCarthy, lead cybersecurity engineer at Immersive Labs, said.
Elsewhere, the update also resolves a NTLMv2 hash disclosure vulnerability (CVE-2025-21377, CVSS score: 6.5) that, if successfully exploited, could permit an attacker to authenticate as the targeted user.
Software Patches from Other Vendors
In addition to Microsoft, security updates have also been released by other vendors over the past couple of weeks to rectify several vulnerabilities, including —
