Expert Insights into 56 Vulnerabilities and 2 Zero-Days

This month’s Patch Tuesday brings an array of 56 new vulnerabilities that highlight the ongoing challenges in maintaining system security. While each vulnerability differs in complexity and impact, they all serve as reminders of the importance of proactive patch management. Read on for an expert breakdown of February 2025’s key CVEs and how to address them. And check out the Patch [FIX] Tuesday podcast for even more insight! 

Before examining these vulnerabilities, let’s first see how this Patch Tuesday measures up to its predecessors.

CVE-2025-21293 (CVSS 8.8/10) emerged as a notable vulnerability in Active Directory Domain Services (AD DS). Initially disclosed during January 2025’s Patch Tuesday, it’s now being actively exploited with proof-of-concept scripts widely available.

The vulnerability leverages the over-privileged “Network Configuration Operators” security group, enabling attackers to gain system-level privileges. This is accomplished by registering a malicious performance counter DLL and exploiting excessive permissions on sensitive registry keys. If successfully exploited, this CVE can grant attackers unrestricted access to an Active Directory environment.

To protect your systems, patch all vulnerable endpoints immediately. Until patches are applied, monitor registry keys associated with performance counters for unauthorized changes or restrict access to these permissions. Regular directory audits can also help detect and mitigate unauthorized modifications.

– Henry Smith, Senior Security Engineer, Automox

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

CVE-2025-21418 (CVSS 7.8/10) is a vulnerability in the AFD.SYS file. This vulnerability affects both Windows desktop and server environments, including Windows 10, 11, and Server 2008, and is currently being actively exploited as a zero-day exploit. 

This vulnerability may be linked to CVE-2023-21768, which was exploited through improper handling of user-mode inputs. By sending a malicious I/O request to the AFD driver, a low-privilege user could escalate their access to system-level privileges.

To mitigate this threat, immediately apply the latest patches for all affected Windows systems. If patching is not immediately feasible, prioritize limiting access to potentially exploitable processes and enforce strict security controls around user inputs.

– Henry Smith, Senior Security Engineer, Automox

Windows Disk Cleanup Tool Elevation of Privilege Vulnerability

CVE-2024-21420 (CVSS 7.8/10) is a vulnerability within Microsoft’s Windows Disk Cleanup Tool, a utility first introduced with Windows 98. Attackers can exploit this flaw to gain elevated privileges, potentially by manipulating temporary directories or user-controlled inputs during disk cleanup operations. Legacy systems, such as Windows Server 2008 and Server 2012, are particularly vulnerable, underscoring the risks of business reliance on outdated and deprecated software.

To mitigate this issue, prioritize applying Microsoft’s security updates to all affected systems. For organizations still relying on outdated Windows servers, it is essential to plan migrations to supported operating systems or implement additional security controls as interim measures.

– Tom Bowyer, Director IT Security, Automox

7-Zip Mark-of-the-Web Bypass Vulnerability

CVE-2025-0411 (CVSS 7.0/10) exploits a flaw within 7-Zip where the “Mark-of-the-Web” metadata is not correctly propagated when extracting files from archives. This flaw allows attackers to bypass a critical Windows security mechanism that flags files downloaded from the internet for additional scrutiny. By exploiting this vulnerability, attackers can execute arbitrary code on affected devices.

To mitigate this issue, update 7-Zip to version 24.09 or later, as this release addresses the vulnerability. Educating users on the dangers of extracting files from unknown sources and enforcing stricter filtering policies to block untrusted file formats are strong first steps toward implementing effective defense-in-depth strategies.

– Ryan Braunstein, Security Manager, Automox

AirPlay Input Validation Vulnerability

Design flaws in Apple’s AirPlay service enable attackers on the same network to trigger unexpected system crashes or corrupt process memory. CVE-2025-24126 presents a serious risk to macOS devices, particularly in environments with shared or public networks. A lack of proper input validation is at the heart of this vulnerability, exposing devices to potentially severe disruptions.

To mitigate this vulnerability, update your Apple devices to the latest versions of macOS, iOS, and watchOS. Segmenting your network and using encrypted connections can actively reduce exposure, especially in high-risk environments such as public Wi-Fi or enterprise networks.

– Tom Bowyer, Director IT Security, Automox