{"id":1893,"date":"2025-02-12T03:31:48","date_gmt":"2025-02-12T03:31:48","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1893"},"modified":"2025-02-12T03:31:48","modified_gmt":"2025-02-12T03:31:48","slug":"february-patch-tuesday-cisos-should-act-now-on-two-actively-exploited-windows-server-vulnerabilities","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1893","title":{"rendered":"February Patch Tuesday: CISOs should act now on two actively exploited Windows Server vulnerabilities"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>CISOs should make sure that two actively exploited vulnerabilities in Windows are addressed as part of their staff\u2019s February Patch Tuesday efforts.<\/p>\n<p>They are:<\/p>\n<p><a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2025-21391\">CVE 2025-21391<\/a>, a Windows Storage escalation of privilege vulnerability that, if exploited, could allow an attacker to delete \u2013 but not read \u2014 targeted files on a system. While this wouldn\u2019t lead to a loss of confidentiality of data, Microsoft notes it would have a major impact on data integrity and availability.<br \/>An attacker trying to access a file based on a filename can identify a link or shortcut that resolves to an unintended resource. The attack complexity is low, says Microsoft.<\/p>\n<p><a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2025-21418\">CVE 2025-21418<\/a>, a Windows Ancillary Function Driver for WinSock escalation of privilege vulnerability due to a buffer overflow. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges, Microsoft warns.<br \/>Affected are Windows Server 2008, 2012, 2016, 2019, 2022, and 2025.<\/p>\n<p>Of the pair, two experts say the WinSock hole is more serious.<\/p>\n<p>\u201cWith SYSTEM-level access, attackers could install programs, view, change, or delete data,\u00a0or create new accounts with full user rights, compromising the security and integrity of corporate systems,\u201d noted Mike Walters, president of patch management provider Action1.\u00a0<\/p>\n<p>Tyler Reguly, associate director of security R&amp;D at Fortra, agreed. \u201cWhile both vulnerabilities are rated Important by Microsoft and have CVSS (Common Vulnerability Scoring System) scores in the 7.x range, I would treat the Windows AFD for WinSock vulnerability as critical when it comes to patching, given that it has seen active exploitation,\u201d he said in an interview.<\/p>\n<p>This vulnerability has the potential to hit all three parts of the CIA (data confidentiality, integrity, and availability) triad, he added.<\/p>\n<p>Microsoft didn\u2019t detail how or how widely these two vulnerabilities are being exploited.<\/p>\n<p>\u201cAny time you [as a CISO] see something experiencing active exploitation, you want to make sure your organization is responding as quickly as possible,\u201d Reguly said.<\/p>\n<p>Walters also drew attention to <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/en-US\/vulnerability\/CVE-2025-21376\">CVE-2025-21376<\/a>, a zero day remote code execution vulnerability in WinServer\u2019s Lightweight Directory Access Protocol (LDAP). Although not exploited yet, and with attack complexity described as High, Microsoft rates this vulnerability as critical.<\/p>\n<p>\u201cThis is a critical remote code execution vulnerability that affects the LDAP service that is integrated with Windows Active Directory,\u201d Walters said in an email. \u201cAn unauthenticated attacker could exploit this vulnerability over the network to execute arbitrary code, potentially leading to a full system compromise. Because Active Directory is the foundation for authentication and authorization in enterprise networks, exploiting this vulnerability could allow attackers to access sensitive information, disrupt services, and pivot to other systems on the network.\u201d<\/p>\n<p>Successful exploitation of this vulnerability requires an attacker to win a race condition, Microsoft noted, which happens when two or more threads try to change shared data at the same time. An unauthenticated attacker could send a specially crafted request to a vulnerable LDAP server, it said, and \u201csuccessful exploitation could result in a buffer overflow which could be leveraged to achieve remote code execution.\u201d<\/p>\n<p>Action1 also drew attention to three zero-day vulnerabilities (CVE-2025-21335, CVE-2025-21334, and CVE-2025-21333)\u00a0in Windows Hyper-V NT Kernel Integration Virtual Service Provider (VSP).<\/p>\n<p>Organizations relying on Hyper-V include data centers, cloud providers, enterprise IT environments, and development platforms. \u201cAn attacker with low privileges can execute code with SYSTEM privileges, gaining control over the host system,\u201d Action1 noted. Infosec pros in organizations that use Hyper-V should prioritize patching for these vulnerabilities and monitor for possible unusual activity.<\/p>\n<p>This month\u2019s patches also included a fix (CVE-2025-21186) for Microsoft Access and one for Microsoft Dynamics 365 Sales (CVE-2025-21177).<\/p>\n<p>CISOs should also be aware of a fix for a hash disclosure vulnerability in NTLM (<a href=\"https:\/\/msrc.microsoft.com\/update-guide\/en-US\/vulnerability\/CVE-2025-21377\">CVE-2025-21377<\/a>). So far it hasn\u2019t been exploited.<\/p>\n<p>However, Walters noted that this vulnerability results in the disclosure of users\u2019 NTLMv2 hashes upon minimal user interaction, such as single-clicking or right-clicking a malicious file. It is considered more likely to be exploited due to public disclosure.<\/p>\n<p>\u201cAttackers who obtain NTLMv2 hashes can perform pass-the-hash attacks, impersonating users to gain unauthorized access to network resources, potentially compromising sensitive data and systems,\u201d he said.\u00a0\u201cIn addition to applying the patch, CISOs should evaluate the use of NTLM on their networks, consider implementing stronger authentication mechanisms such as Kerberos, and provide user training to prevent interactions with suspicious files.\u201d\u00a0<\/p>\n<p>\u00a0Organizations still vary widely in their patching procedures, Reguly added. More mature infosec departments test patches in their lab, rolling them out and using vulnerability scans to make sure everything is patched. Smaller teams are hard-pressed to find the time to do testing, so take longer to install patches and leave themselves more open to attack.<\/p>\n<p>Smaller organizations should \u201ctake a breath [when patches are released] and then take a look at your [patch and vulnerability management] tooling,\u201d Reguly noted. \u201cA lot of the time, tooling plays a large role in how well an organization works. There\u2019s a lot of checkbox solutions out there that are cheaper on paper and they may not be giving you the big picture.\u201d<\/p>\n<p>Patch management tools will tell the CISO if a patch has been applied, he said, but patches don\u2019t always solve a vulnerability or tell whether a system is properly configured. Vulnerability management tools ensure that a vulnerability has truly been closed, he said.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>CISOs should make sure that two actively exploited vulnerabilities in Windows are addressed as part of their staff\u2019s February Patch Tuesday efforts. They are: CVE 2025-21391, a Windows Storage escalation of privilege vulnerability that, if exploited, could allow an attacker to delete \u2013 but not read \u2014 targeted files on a system. While this wouldn\u2019t [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":1894,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1893","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1893"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1893"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1893\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1894"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1893"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1893"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1893"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}