February Patch Tuesday delivers 57 packages – Sophos Information

Microsoft on Tuesday launched 57 patches touching 13 product households. Two of the addressed points are thought of by Microsoft to be of Vital severity, and 13 have a CVSS base rating of 8.0 or increased. Two, each affecting Home windows, are beneath energetic exploit within the wild.

At patch time, two of the addressed Home windows points (CVE-2025-21391, CVE-2025-21418) are detected to be beneath energetic exploit within the wild, with 17 further CVEs extra more likely to be exploited within the subsequent 30 days by the corporate’s estimation. 4 of this month’s points are amenable to detection by Sophos protections, and we embrace data on these in a desk under.

Along with these patches, the discharge consists of advisory data on Servicing Stack Updates, in addition to data on the month’s 10 Edge patches (there’s additionally, for the second month in a row, an Web Explorer patch, as we’ll talk about under) and one Dynamics 365 difficulty lined within the launch however already mitigated by Microsoft.

We’re as at all times together with on the finish of this put up further appendices itemizing all Microsoft’s patches, sorted by severity, by predicted exploitability, and by product household; an appendix protecting the advisory-style updates; and a breakout of the patches affecting the varied Home windows Server platforms nonetheless in assist. This month, we’re including additional data to Appendix B, recapping CVSS Base scores for probably the most extremely scored vulnerabilities.

By the numbers

• Whole CVEs: 57
• Publicly disclosed: 2
• Exploit detected: 2
• Severity
  • Vital: 2
  • Necessary: 55
• Influence
  • Distant Code Execution: 23
  • Elevation of Privilege: 19
  • Denial of Service: 9
  • Safety Function Bypass: 2
  • Spoofing: 2
  • Data Disclosure: 1
  • Tampering: 1
• CVSS base rating 9.0 or larger: 1
• CVSS base rating 8.0 or larger: 12

Determine 1: Distant code execution accounts for slightly below half of the February CVE haul, and for each of its Vital-severity points

Merchandise

• Home windows: 37
• 365: 8
• Workplace: 8
• Excel: 6
• Visible Studio: 4
• Azure: 2
• CBL Mariner: 1
• PC: 1
• Microsoft AutoUpdate for Mac: 1
• Outlook: 1
• PC Supervisor: 1
• SharePoint: 1
• Floor: 1

As is our customized for this checklist, CVEs that apply to multiple product household are counted as soon as for every household they have an effect on.

Determine 2: All 37 of February’s Home windows patches apply to the server-side OS, although most additionally apply to the shopper aspect. As for the remaining, one in all this month’s curiosities is which are are 4 patches for Visible Studio – however none for .NET

Notable February updates

Along with the problems mentioned above, quite a lot of particular objects advantage consideration.

CVE-2025-21391 — Home windows Storage Elevation of Privilege Vulnerability

One of many two points already identified to be beneath exploit within the wild, this difficulty would enable an attacker to delete focused information on the system; no consumer interplay is required.

CVE-2025-21198 – Microsoft Excessive Efficiency Compute (HPC) Pack Linux Compute Node Distant Code Execution Vulnerability

Microsoft characterizes this CVSS 9.0 difficulty as Necessary in severity and believes it’s much less more likely to be exploited within the subsequent 30 days. To take advantage of this difficulty, an attacker would want entry to the community connecting the focused clusters and nodes, and would ship a malicious HTTPS request to the focused head node or Linux compute node

CVE-2025-21381, CVE-2025-21386, CVE-2025-21387, CVE-2025-21390, CVE-2025-21394 – all Microsoft Excel Distant Code Execution Vulnerability

5 of the six Excel vulnerabilities this month (that are additionally 5 of the eight 365 and Workplace vulnerabilities) embrace Preview Pane as a possible vector. All are Necessary-severity points with a CVSS Base rating of seven.8.

CVE-2025-21194 — Microsoft Floor Safety Function Bypass Vulnerability

It is a robust bug to take advantage of – it requires a good quantity of preparation, attacker entry to a restricted community, and a reboot on the consumer’s half. The outstanding factor about this bug, nonetheless, is that it is determined by the {hardware} – particularly, a number of variations of Microsoft’s Floor platform, and extra particularly VMs inside a UEFI host machine. A profitable attacker might bypass the UEFI, which might result in compromise of the hypervisor and the safe kernel.

CVE-2025-21377 — NTLM Hash Disclosure Spoofing Vulnerability

Web Explorer once more? Sure, and that’s not the one throwback side to this patch. The vulnerability, which discloses the consumer’s NTLMv2 hash, impacts the MSHTML, EdgeHTML, and scripting platforms nonetheless lurking under the floor of assorted functions. Microsoft believes this difficulty is amongst these extra more likely to be exploited within the wild within the subsequent 30 days. Discovery of this bug was apparently a multinational effort, with credit score given to researchers at Cathay Pacific in addition to safety corporations Securify BV and ACROS Safety. The latter could ring bells with tech folks skilled sufficient to recollect one in all their early discoveries – one of many knot of vulnerabilities that composed Stuxnet.

Determine 3: With Tampering becoming a member of the board with a single vulnerability this month, all the standard classes are already represented on the 2025 cumulative chart

Sophos protections

As you’ll be able to each month, if you happen to don’t wish to wait on your system to drag down Microsoft’s updates itself, you’ll be able to obtain them manually from the Home windows Replace Catalog web site. Run the winver.exe device to find out which construct of Home windows 10 or 11 you’re operating, then obtain the Cumulative Replace bundle on your particular system’s structure and construct quantity.

Appendix A: Vulnerability Influence and Severity

It is a checklist of February patches sorted by affect, then sub-sorted by severity. Every checklist is additional organized by CVE.

Distant Code Execution (23 CVEs)

Elevation of Privilege (19 CVEs)

Denial of Service (9 CVEs)

Safety Function Bypass (2 CVEs)

Spoofing (2 CVEs)

Data Disclosure (1 CVE)

Tampering (1 CVE)

Appendix B: Exploitability and CVSS

It is a checklist of the February CVEs judged by Microsoft to be both beneath exploitation within the wild or extra more likely to be exploited within the wild inside the first 30 days post-release. The checklist is additional organized by CVE.

It is a checklist of February CVEs with a Microsoft-assessed CVSS Base rating of 8.0 or increased. They’re organized by rating and additional sorted by CVE. For extra data on how CVSS works, please see our sequence on patch prioritization schema.

Appendix C: Merchandise Affected

It is a checklist of February’s patches sorted by product household, then sub-sorted by severity. Every checklist is additional organized by CVE. Patches which are shared amongst a number of product households are listed a number of occasions, as soon as for every product household. Points affecting Home windows Server are additional sorted in Appendix E.

Home windows (37 CVEs)

365 (8 CVEs)

Workplace (8 CVEs)

Excel (6 CVEs)

Visible Studio (4 CVEs)

Azure (2 CVEs)

CBL Mariner (1 CVE)

HPC (1 CVE)

Microsoft AutoUpdate for Mac (1 CVE)

Outlook (1 CVE)

PC Supervisor (1 CVE)

SharePoint (1 CVE)

Floor (1 CVE)

Appendix D: Advisories and Different Merchandise

It is a checklist of advisories and data on different related CVEs within the February launch. The problems addressed in these CVEs have already been mitigated by Microsoft, however had been listed within the launch within the pursuits of transparency.

Microsoft data:

There aren’t any Adobe advisories on this month’s launch.

Appendix E: Affected Home windows Server variations

It is a desk of CVEs within the February launch affecting 9 Home windows Server variations, 2008 by 2025. The desk differentiates amongst main variations of the platform however doesn’t go into deeper element (eg., Server Core). Vital-severity points are marked in crimson; an “x” signifies that the CVE doesn’t apply to that model. Directors are inspired to make use of this appendix as a place to begin to determine their particular publicity, as every reader’s state of affairs, particularly because it issues merchandise out of mainstream assist, will differ. For particular Data Base numbers, please seek the advice of Microsoft.