February Patch Tuesday delivers 57 packages

Microsoft on Tuesday released 57 patches touching 13 product families. Two of the addressed issues are considered by Microsoft to be of Critical severity, and 13 have a CVSS base score of 8.0 or higher. Two, both affecting Windows, are under active exploit in the wild.

At patch time, two of the addressed Windows issues (CVE-2025-21391, CVE-2025-21418) are detected to be under active exploit in the wild, with 17 additional CVEs more likely to be exploited in the next 30 days by the company’s estimation. Four of this month’s issues are amenable to detection by Sophos protections, and we include information on those in a table below.

In addition to these patches, the release includes advisory information on Servicing Stack Updates, as well as information on the month’s 10 Edge patches (there is also, for the second month in a row, an Internet Explorer patch, as we’ll discuss below) and one Dynamics 365 issue covered in the release but already mitigated by Microsoft.

We are as always including at the end of this post additional appendices listing all Microsoft’s patches, sorted by severity, by predicted exploitability, and by product family; an appendix covering the advisory-style updates; and a breakout of the patches affecting the various Windows Server platforms still in support. This month, we are adding further information to Appendix B, recapping CVSS Base scores for the most highly scored vulnerabilities.

By the numbers

• Total CVEs: 57
• Publicly disclosed: 2
• Exploit detected: 2
• Severity
  • Critical: 2
  • Important: 55
• Impact
  • Remote Code Execution: 23
  • Elevation of Privilege: 19
  • Denial of Service: 9
  • Security Feature Bypass: 2
  • Spoofing: 2
  • Information Disclosure: 1
  • Tampering: 1
• CVSS base score 9.0 or greater: 1
• CVSS base score 8.0 or greater: 12

Figure 1: Remote code execution accounts for just under half of the February CVE haul, and for both of its Critical-severity issues

Products

• Windows: 37
• 365: 8
• Office: 8
• Excel: 6
• Visual Studio: 4
• Azure: 2
• CBL Mariner: 1
• PC: 1
• Microsoft AutoUpdate for Mac: 1
• Outlook: 1
• PC Manager: 1
• SharePoint: 1
• Surface: 1

As is our custom for this list, CVEs that apply to more than one product family are counted once for each family they affect.

Figure 2: All 37 of February’s Windows patches apply to the server-side OS, though most also apply to the client side. As for the rest, one of this month’s curiosities is that are are four patches for Visual Studio – but none for .NET

Notable February updates

In addition to the issues discussed above, a variety of specific items merit attention.

CVE-2025-21391 — Windows Storage Elevation of Privilege Vulnerability

One of the two issues already known to be under exploit in the wild, this issue would allow an attacker to delete targeted files on the system; no user interaction is required.

CVE-2025-21198 – Microsoft High Performance Compute (HPC) Pack Linux Compute Node Remote Code Execution Vulnerability

Microsoft characterizes this CVSS 9.0 issue as Important in severity and believes it is less likely to be exploited in the next 30 days. To exploit this issue, an attacker would need access to the network connecting the targeted clusters and nodes, and would send a malicious HTTPS request to the targeted head node or Linux compute node

CVE-2025-21381, CVE-2025-21386, CVE-2025-21387, CVE-2025-21390, CVE-2025-21394 – all Microsoft Excel Remote Code Execution Vulnerability

Five of the six Excel vulnerabilities this month (which are also five of the eight 365 and Office vulnerabilities) include Preview Pane as a potential vector. All are Important-severity issues with a CVSS Base score of 7.8.

CVE-2025-21194 — Microsoft Surface Security Feature Bypass Vulnerability

This is a tough bug to exploit – it requires a fair amount of preparation, attacker access to a restricted network, and a reboot on the user’s part. The remarkable thing about this bug, however, is that it depends on the hardware – specifically, multiple versions of Microsoft’s Surface platform, and more specifically VMs within a UEFI host machine. A successful attacker could bypass the UEFI, which could lead to compromise of the hypervisor and the secure kernel.

CVE-2025-21377 — NTLM Hash Disclosure Spoofing Vulnerability

Internet Explorer again? Yes, and that’s not the only throwback aspect to this patch. The vulnerability, which discloses the user’s NTLMv2 hash, affects the MSHTML, EdgeHTML, and scripting platforms still lurking below the surface of various applications. Microsoft believes this issue is among those more likely to be exploited in the wild in the next 30 days. Discovery of this bug was apparently a multinational effort, with credit given to researchers at Cathay Pacific as well as security firms Securify BV and ACROS Security. The latter may ring bells with tech folk experienced enough to remember one of their early discoveries – one of the knot of vulnerabilities that composed Stuxnet.

Figure 3: With Tampering joining the board with a single vulnerability this month, all the usual categories are already represented on the 2025 cumulative chart

Sophos protections

As you can every month, if you don’t want to wait for your system to pull down Microsoft’s updates itself, you can download them manually from the Windows Update Catalog website. Run the winver.exe tool to determine which build of Windows 10 or 11 you’re running, then download the Cumulative Update package for your specific system’s architecture and build number.

Appendix A: Vulnerability Impact and Severity

This is a list of February patches sorted by impact, then sub-sorted by severity. Each list is further arranged by CVE.

Remote Code Execution (23 CVEs)

Elevation of Privilege (19 CVEs)

Denial of Service (9 CVEs)

Security Feature Bypass (2 CVEs)

Spoofing (2 CVEs)

Information Disclosure (1 CVE)

Tampering (1 CVE)

Appendix B: Exploitability and CVSS

This is a list of the February CVEs judged by Microsoft to be either under exploitation in the wild or more likely to be exploited in the wild within the first 30 days post-release. The list is further arranged by CVE.

This is a list of February CVEs with a Microsoft-assessed CVSS Base score of 8.0 or higher. They are arranged by score and further sorted by CVE. For more information on how CVSS works, please see our series on patch prioritization schema.

Appendix C: Products Affected

This is a list of February’s patches sorted by product family, then sub-sorted by severity. Each list is further arranged by CVE. Patches that are shared among multiple product families are listed multiple times, once for each product family. Issues affecting Windows Server are further sorted in Appendix E.

Windows (37 CVEs)

365 (8 CVEs)

Office (8 CVEs)

Excel (6 CVEs)

Visual Studio (4 CVEs)

Azure (2 CVEs)

CBL Mariner (1 CVE)

HPC (1 CVE)

Microsoft AutoUpdate for Mac (1 CVE)

Outlook (1 CVE)

PC Manager (1 CVE)

SharePoint (1 CVE)

Surface (1 CVE)

Appendix D: Advisories and Other Products

This is a list of advisories and information on other relevant CVEs in the February release. The issues addressed in these CVEs have already been mitigated by Microsoft, but were listed in the release in the interests of transparency.

Microsoft information:

There are no Adobe advisories in this month’s release.

Appendix E: Affected Windows Server versions

This is a table of CVEs in the February release affecting nine Windows Server versions, 2008 through 2025. The table differentiates among major versions of the platform but doesn’t go into deeper detail (eg., Server Core). Critical-severity issues are marked in red; an “x” indicates that the CVE does not apply to that version. Administrators are encouraged to use this appendix as a starting point to ascertain their specific exposure, as each reader’s situation, especially as it concerns products out of mainstream support, will vary. For specific Knowledge Base numbers, please consult Microsoft.