The US Cybersecurity and Security Infrastructure Agency (CISA) has warned that two recently disclosed Microsoft zero-day vulnerabilities are being actively exploited by threat actors and urges users to patch them.
Microsoft has released updates for actively exploited zero-day vulnerabilities. CISA leaves federal agencies three weeks, until March 4th, to implement the mitigations.
One of the exploited privilege escalation flaws – a Heap-Based Buffer Overflow Vulnerability – lies in the Microsoft Windows Ancillary Function Driver for WinSock. This core component handles advanced Windows networking features.
Attackers who successfully exploit this flaw, labeled CVE-2025-21418, gain SYSTEM privileges. Functional exploit code already exists, and no other workarounds or mitigations are available. Microsoft evaluated this flaw with a severity rating of 7.8 out of 10.
“This vulnerability could allow an attacker to delete data, including data that results in the service being unavailable,” CISA added in its advisory.
Another actively exploited zero-day affects Microsoft Windows Storage Link. This feature handles file and folder shortcuts and symbolic links, pointing to other locations on the computer or network.
This flaw, labeled CVE-2025-21391, allows attackers to elevate privileges, delete data, and render the services unavailable. Its severity is 7.1/10.
“This vulnerability does not allow disclosure of confidential information, but could allow an attacker to delete data that could include data that results in the service being unavailable,” Microsoft said.
Researchers at the Zero Day Initiative (ZDI) by Trend Micro said they haven’t previously seen this type of bug exploited publicly. Microsoft doesn’t provide any information on how widespread these attacks are.
“It’s also likely paired with a code execution bug to completely take over a system. Test and deploy this quickly,” the researchers said.
Microsoft’s February 2025 Patch Tuesday update covers 63 security vulnerabilities in multiple products. Sophos warned that 17 of these flaws are likely to be exploited in the next 30 days.
Three vulnerabilities are labeled as critical:
- Remote Code Execution vulnerability CVE-2025-21379 affects DHCP Client Service, which automatically obtains an IUP address and network settings. Attackers can exploit it to perform man-in-the-middle attacks to read or modify network communications. However, the attack is limited to systems connected to the same network segment as the attacker and cannot be performed across multiple networks.
- Server-side request Forgery (SSRF) in Microsoft Dynamics 365 Sales, a cloud-based customer relationship management (CRM) application, allowed an authorized attacker to elevate privileges over a network. Microsoft has already fully mitigated this flaw, and no user action is required.
- Remote code execution flaw affects Windows Lightweight Directory Access Protocol (LDAP). An unauthenticated attacker could send a specially crafted request to a vulnerable LDAP server, causing a buffer overflow that could be leveraged to achieve remote code execution. According to ZDI, since there’s no user interaction involved, that makes this bug wormable between affected LDAP servers.
Many other patches affect Excel and other Office components.
Microsoft updates cause some known issues. Roblox players on Arm devices are unable to download and play the game from the Microsoft Store on Windows. Some customers report that the Open Secure Shell service fails to start, preventing SSH connections.
Devices with certain Citrix components installed might be unable to complete the January 2025 Windows security update installation.
Your email address will not be published. Required fields are markedmarked