Patch Tuesday Microsoft’s February patch collection is mercifully smaller than January’s mega-dump. But don’t get too relaxed – some deserve close attention, and other vendors have stepped in with plenty more fixes.

Of the 63 patches (including six released earlier in the month) Microsoft announced, two are already being exploited.

Both require attackers to be local and authenticated. One is CVE-2025-21418: A CVSS 7.8-scored elevation of privilege vulnerability in the Windows Ancillary Function Driver for Winsock that allows an attacker to execute a specially crafted program to gain SYSTEM-level privileges. The flaw affects machines running Windows 10, 11, and various versions of Windows Server.

The other: CVE-2025-21391, a CVSS 7.1-rated elevation of privilege vulnerability in Windows Storage that means a local attacker can delete files under limited and vague conditions. As Windows Storage is present in Windows Server, that raises the possibility that data apps rely on could be deleted.

Microsoft also detailed two issues that are publicly known, even if they haven’t yet been exploited. Those of you with Surface kit – a laptop or tablet – may wish to consider fixing CVE-2025-21194, a 7.1-rated vulnerability that means some PCs are susceptible to compromise of the hypervisor and the secure kernel.

Hypervisor compromises are very nasty, but Microsoft says exploiting this flaw “requires multiple conditions to be met, such as specific application behavior, user actions, manipulation of parameters passed to a function, and impersonation of an integrity level token.”

The other known vulnerability is CVE-2025-21377, which could leak a user’s NTLMv2 hash. What makes this CVSS 6.5 flaw particularly annoying is that the user doesn’t need to do much—simply selecting the file (single-click), right-clicking to inspect it, or performing another action short of opening or executing it can trigger the vulnerability.

Microsoft’s highest-scored February flaw is CVE-2025-21198, which earned a 9.0 CVSS rating. This one could have serious consequences for high-performance computing infrastructure by allowing remote code execution. The attacker would need access to the network connecting machines in a targeted HPC cluster, but once exploited, this flaw could extend to other clusters and nodes within the same network.

“An attacker could exploit this vulnerability by sending a specially crafted HTTPS request to the targeted head node or Linux compute node granting them the ability to perform RCE on other clusters or nodes connected to the targeted head node,” Microsoft warned.

Excel received five patches this month – all rated 7.8 – with one deemed a critical patching priority by Redmond and four classed as important. CVE-2025-21381 is the one Microsoft wants you to fix first as it allows remote code execution, though technically classified as a local attack. The “remote” aspect refers to how the attacker delivers the malicious file to abuse the bug. In this case, an attacker could use social engineering to trick a victim into opening a specially crafted file, leading to arbitrary code execution.

Microsoft also urges attention to CVE-2025-21379, a flaw in the DHCP Client Service for all builds of Windows. The 7.1-rated bug is hard to exploit and requires an attacker to thoroughly map the network and execute a machine-in-the-middle (MITM) attack with precision. If an attacker can do that, they may be deep in your infrastructure by the time they get around to targeting this flaw.

Technically CVE-2025-21177, a CVSS 8.7 flaw that allows an elevation of privileges attack against Dynamics 365, is also rated critical by Microsoft. Thankfully, however, Redmond has already fully mitigated this vulnerability, and there’s no action required from users.

If you’re a Windows Telephony user, six patches await – all ranked as important by Redmond and with CVSS scores of 8.8. For Office users, Microsoft has patched multiple vulnerabilities, including a couple of remote code execution flaws and a spoofing vulnerability affecting the suite.

Other vendors patch, too

It wouldn’t be a Patch Tuesday without Adobe adding to the load with 45 patches – although unusually there’s no patches for Acrobat this month.

31 of the patches apply to Adobe Commerce, to fix cross-site scripting (XSS) bugs, security feature bypasses, and Critical-rated code execution flaws. Users of the open source Magneto software should prioritize these updates, as that project remains a frequent target of attacks.

InDesign gets seven bug fixes, four of them rated critical, while Illustrator’s three critical-rated bugs could lead to arbitrary code execution when opening a malicious file.

Substance 3D and InCopy both receive a single critical-rated code execution fix, while Photoshop Elements is patched for an important-rated privilege escalation flaw, applicable to macOS on Arm.

SAP pushed out 21 individual patches, ranging in CVSS score from 8.8 to 3.1. The bulk apply to NetWeaver, including a cross-site scripting issue. Additionally, SAP’s Enterprise Project Connection gets a patch that fixes multiple problems.

Fortinet has issued security updates for multiple products, notably addressing a critical authentication bypass vulnerability in FortiOS and FortiProxy. With a CVSS score of 9.6, this one looks like a strong candidate to be applied in your next change window. ®