Table of Contents
Actively Exploited Zero-Day Vulnerability in Windows Ancillary Function Driver for WinSock
Windows Ancillary Function Driver for WinSock received a patch for CVE-2025-21418, which has a severity of Important and a CVSS score of 7.8. Windows Ancillary Function Driver for WinSock is primarily responsible for handling network-related functions. This elevation of privilege vulnerability allows an attacker to gain SYSTEM privileges. Microsoft has indicated the vulnerability is a result of heap-based buffer overflow but has not shared other details or source of disclosure.
| Severity | CVSS Score | CVE | Description |
| Important | 7.8 | CVE-2025-21418 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
Actively Exploited Zero-Day Vulnerability in Windows Storage
Windows Storage received a patch for CVE-2025-21391, which has a severity of Important and a CVSS score of 7.1. This elevation of privilege vulnerability allows an attacker to delete targeted files on a system. The vulnerability does not allow disclosure of data but could disrupt services if critical files are deleted.
| Severity | CVSS Score | CVE | Description |
| Important | 7.1 | CVE-2025-21391 | Windows Storage Elevation of Privilege Vulnerability |
Publicly Disclosed Zero-Day Vulnerabilities in Microsoft Surface and Windows
Microsoft Surface devices received a patch for CVE-2025-21194, which has a severity of Important and a CVSS score of 7.1. Successful exploitation of this highly complex vulnerability hinges on the convergence of multiple factors, including specific application behavior, user actions, function parameter manipulation, and integrity level token impersonation.
| Severity | CVSS Score | CVE | Description |
| Important | 7.1 | CVE-2025-21194 | Microsoft Surface Security Feature Bypass Vulnerability |
Windows received a patch for CVE-2025-21377, which has a severity of Important and a CVSS score of 6.5. This vulnerability can lead to total loss of confidentiality by exposing a user’s NTLMv2 hash, potentially allowing an attacker to authenticate as the user.It requires minimal user interaction with a malicious file.
This vulnerability impacts all Windows versions. While Microsoft has announced retirement of the Internet Explorer 11 application on certain platforms and the Microsoft Edge Legacy application is deprecated, the underlying MSHTML, EdgeHTML, and scripting platforms are still supported. Internet Explorer (IE) Cumulative updates are included for some servers due to ongoing support for MSHTML, EdgeHTML, and scripting platforms. For full protection, Microsoft recommends installing both Security Only Windows updates and IE Cumulative updates. This vulnerability’s easy exploitation and high risk demand urgent mitigation and patching.
| Severity | CVSS Score | CVE | Description |
| Important | 6.5 | CVE-2025-21377 | NTLMv2 Hash Disclosure Spoofing Vulnerability |
Critical Vulnerability in Windows Lightweight Directory Access Protocol
CVE-2025-21376 is a Critical RCE vulnerability affecting Windows Lightweight Directory Access Protocol (LDAP) and has a CVSS score of 8.1. This high-complexity vulnerability requires an attacker to win a race condition for successful exploitation. An unauthenticated attacker could exploit it by sending a specially crafted request to a vulnerable LDAP server, potentially causing a buffer overflow that could lead to remote code execution.
Microsoft recommends that all Active Directory servers be configured to not accept remote procedure calls (RPCs) from untrusted networks in addition to patching this vulnerability. Due to the ease of exploitation and the significant risk this vulnerability poses to the Active Directory environment, it should be mitigated and patched quickly.
| Severity | CVSS Score | CVE | Description |
| Critical | 8.1 | CVE-2025-21376 | Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability |
Critical Vulnerability in Microsoft Excel
CVE-2025-21381 is a Critical RCE vulnerability affecting Microsoft Excel and has a CVSS score of 7.8. Despite being classified as a local attack vector in CVSS, this vulnerability can lead to remote code execution because the attacker can be remote while the exploit occurs locally on the victim’s machine. The vulnerability could be triggered via the Preview Pane in affected applications, as we have seen many times in similar vulnerabilities (April 2023, July 2023, December 2023, October 2024, January 2025).
| Severity | CVSS Score | CVE | Description |
| Critical | 7.8 | CVE-2025-21381 | Microsoft Excel Remote Code Execution Vulnerability |
Critical Vulnerability in Dynamic Host Configuration Protocol Client Service
CVE-2025-21379 is a Critical RCE vulnerability with a CVSS score of 7.1 and affects the DHCP (Dynamic Host Configuration Protocol) Client Service. This high-complexity vulnerability requires the attacker to perform a machine-in-the-middle attack, injecting themselves between the target and the requested resource. The attack is limited to systems on the same network segment as the attacker, restricting its scope to a local area network rather than across multiple networks.
| Severity | CVSS Score | CVE | Description |
| Critical | 7.1 | CVE-2025-21379 | DHCP Client Service Remote Code Execution Vulnerability |
Patch Tuesday Dashboard in the Falcon Platform
For a visual overview of the systems impacted by this month’s vulnerabilities, you can use our newly available Patch Tuesday dashboard. This can be found in the CrowdStrike Falcon® platform within the Exposure Management > Vulnerability Management > Dashboards page. The preset dashboards show the most recent three months of Patch Tuesday vulnerabilities.
Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies
As we have learned with other notable vulnerabilities, such as Log4j, not every highly exploitable vulnerability can be easily patched. As is the case for the ProxyNotShell vulnerabilities, it’s critically important to develop a response plan for how to defend your environments when no patching protocol exists.
Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization’s methods for cybersecurity and improve your overall security posture.
The CrowdStrike Falcon platform regularly collects and analyzes trillions of endpoint events a day from millions of sensors deployed across 176 countries. Watch this demo to see the Falcon platform in action.
Learn More
CrowdStrike Falcon® Exposure Management can help you quickly and easily discover and prioritize vulnerabilities and other types of exposures — learn more here.
About CVSS Scores
The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article.
Additional Resources
Leave a Reply