Microsoft followed up its massive January Patch Tuesday update containing fixes for 159 vulnerabilities with a more modest crop this month. This time, it released fixes for 57 new Common Vulnerabilities and Exposures (CVEs) in its update, three of which are critical.
Dustin Childs of the Zero Day Initiative described one of the vulnerabilities as unprecedented in the wild. This is a Windows storage elevation of privilege (EOP) vulnerability, CVE-2025-21391.
In a blog post, Childs said: “This is … a type of bug we haven’t seen exploited publicly. The vulnerability allows an attacker to delete targeted files. How does this lead to privilege escalation? My colleague Simon Zuckerbraun details the technique here. While we’ve seen similar issues in the past, this does appear to be the first time the technique has been exploited in the wild. It’s also likely paired with a code execution bug to completely take over a system. Test and deploy this quickly.”
In Computer Weekly’s sister title SearchWindowsServer, Tom Walat picked out two new zero-day vulnerabilities that Microsoft has fixed in this Patch Tuesday, including the EOP that Childs highlighted.
“The first new zero-day is a Windows Ancillary Function Driver for WinSock elevation-of-privilege vulnerability (CVE-2025-21418) rated important with a CVSS (Common Vulnerability Scoring System) score of 7.8. This bug affects all currently supported Windows desktop and server systems,” he wrote.
The second new zero-day is the storage EOP vulnerability (CVE-2025-21391) that Childs commented on, to which Walat added: “To exploit the vulnerability, the attacker only needs local access to the network with low privileges. If successful, the attacker can delete files on a system to cause service disruptions and possibly perform other actions, such as elevating their privileges.”
Childs also picked out CVE-2025-21376, a Windows Lightweight Directory Access Protocol (LDAP) remote code execution (RCE) vulnerability. “This vulnerability allows a remote, unauthenticated attacker to run their code on an affected system simply by sending a maliciously crafted request to the target,” he wrote. “Since there’s no user interaction involved, that makes this bug wormable between affected LDAP servers. Microsoft lists this as ‘exploitation likely’, so even though this may be unlikely, I would treat this as an impending exploitation. Test and deploy the patch quickly.”
In the CVE notes to this “critical” vulnerability, which has a CVSS rating of 8.1, Microsoft stated: “An unauthenticated attacker could send a specially crafted request to a vulnerable LDAP server. Successful exploitation could result in a buffer overflow which could be leveraged to achieve remote code execution.”
There are also several Microsoft Excel bug fixes in this update, including CVE-2025-21387, an RCE vulnerability. “This is one of several Excel fixes where the Preview Pane is an attack vector, which is confusing as Microsoft also notes that user interaction is required,” said Childs. “They also note that multiple patches are required to address this vulnerability fully. This likely can be exploited either by opening a malicious Excel file or previewing a malicious attachment in Outlook. Either way, make sure you get all the needed patches tested and deployed.”
This vulnerability is one of six Excel flaws that Microsoft corrected this month, in what proved to be a relatively light Patch Tuesday.
