Microsoft simply dropped its Patch Tuesday safety replace for February 2025. It is a month-to-month replace for Home windows that features the entire safety patches and stability fixes Microsoft has been engaged on for the reason that final launch. However simply because these updates arrive with none new user-facing options, that does not imply they don’t seem to be equally as necessary—if no more so.
As reported by Bleeping Laptop, this newest Patch Tuesday replace fixes 55 safety flaws all through Home windows. That features 22 distant code execution flaws, 19 elevation of privilege flaws, 9 denial of service flaws, three spoofing flaws, two safety function bypass flaws, and one data disclosure flaw.
This is what Microsoft mounted with its newest Patch Tuesday replace
Whereas all 55 flaws had been price addressing, 4 of them had been significantly important to repair—and patching two of these was much more important. That is as a result of 4 of those flaws had been zero-day vulnerabilities, safety flaws which can be publicly identified with out an accessible patch. That is a recipe for catastrophe: Unhealthy actors will inevitably uncover methods to take advantage of safety flaws, however the bottom line is for software program builders to find and repair these flaws earlier than unhealthy actors also have a probability to know what these flaws are. When flaws are found earlier than a repair is obtainable, it sharply will increase the probabilities of an exploit being developed earlier than a patch will be created.
On this case, there have been 4 such vulnerabilities mounted on this newest Patch Tuesday replace. Two of those haven’t been actively exploited—not less than, Microsoft says they have not. One is CVE-2025-21194, a Microsoft Floor safety function bypass vulnerability that might make it doable to bypass the Unified Extensible Firmware Interface (UEFI) and compromise each the hypervisor and safe kernel of particular machines. Plainly talking, the flaw might permit unhealthy actors to compromise this system powering digital machines on Home windows, in addition to the core of your OS.
The opposite publicly disclosed flaw was CVE-2025-21377, an NTLM hash disclosure spoofing vulnerability, which permits unhealthy actors to entry your pc’s NTLM hash to acquire your plain-text password. With this specific flaw, a consumer may solely want to pick, right-click, or work together with a malicious file so as to set off the exploit, which might then let a hacker log into the machine because the consumer. Microsoft is staying fairly silent about this one.
Nevertheless, the opposite two zero-day flaws patches on this replace had been, in reality, actively exploited. That features CVE-2025-21391, a Home windows storage elevation of privilege vulnerability that allowed unhealthy actors to delete focused recordsdata in your pc. Microsoft clarified the flaw doesn’t permit unhealthy actors to see your confidential data, however having the ability to delete recordsdata means attackers might break elements of your system. The second actively-exploited zero day flaw was CVE-2025-21418, an elevation of privilege vulnerability that allowed unhealthy actors to realize system privileges in Home windows. Microsoft didn’t share how both of those flaws had been exploited by unhealthy actors, and is maintaining the identities of those that found them nameless.
Whereas we do not know the complete scope of those final two zero-days, it is necessary to replace and patch them ASAP. As they’re actively being exploited, it is doable somebody might use them towards your pc until you put in the patch.
The right way to set up the most recent safety updates on Home windows
To guard your PC, set up this newest Patch Tuesday replace as quickly as doable. To take action, head to Begin > Settings > Home windows Replace, then select Examine for Home windows updates.
