Security Intelligence
Loading table of contents...
On February 11, 2025, Microsoft fixed 63 vulnerabilities as part of its Patch Tuesday event; among them two were publicly disclosed, two more were actively exploited, and three were assessed as critical remote code execution vulnerabilities.
Stay on top of emerging threats.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
While two flaws, tracked as CVE-2025-21391 and CVE-2025-21418, were reported to be exploited, it's the flaw designated as CVE-2025-21376 that gained the most attention from the media due to its potential to be wormable and Microsoft adding an “Exploitation Likely” note to the listing.
Source: Microsoft
Analysis
Field Effect is paying particularly close attention to one of the exploited issues, - CVE-2025-21418, a privilege escalation flaw in a native Windows driver, an Ancillary Function Driver for WinSock (AFD.sys). The issue has been assigned a Common Vulnerability Scoring System (CVSS) base score of 7.8 out of 10 and could be exploited to achieve SYSTEM privileges. Researchers note that similar flaws in the same component have been exploited nine times since 2022, including instances attributed to North Korean state actors.
CVE-2025-21376 is described as a Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability. The issue could allow a remote, unauthenticated threat actor to run their code on an affected system by sending a malicious request to a vulnerable LDAP server. As many point out, once exploited, no user interaction is required in order to spread between the affected LDAP servers.
However, a threat actor would need to win a race condition prior to achieving a buffer overflow. We have not observed a similar RCE vulnerability turned into a functional exploit used for some time.
To reduce the threat posed by CVE-2025-21376, users and network administrators should ensure that network LDAP is properly configured and has no external exposure. We also recommend installing the updates from Patch Tuesday as soon as possible.
Mitigation
Field Effect’s team of Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in Microsoft Products. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate the exploitation of these vulnerabilities. Field Effect MDR users were automatically notified if a vulnerable version of Windows was detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Field Effect encourages users of the affected Windows versions to update to the latest version as soon as possible, in accordance with Microsoft’s advisory.
