The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning about two critical Microsoft Windows zero-day vulnerabilities currently being exploited by malicious actors. CISA strongly urges immediate patching. Federal agencies have until March 4th to implement the necessary mitigations. This represents a significant threat requiring immediate action.
Actively Exploited Zero-Day Vulnerabilities
This advisory focuses on two specific zero-day vulnerabilities included in Microsoft’s February 2025 Patch Tuesday update:
- CVE-2025-21418: Heap-Based Buffer Overflow in WinSock: This vulnerability resides in the Microsoft Windows Ancillary Function Driver for WinSock, a core networking component. Successful exploitation grants attackers SYSTEM privileges. Functional exploit code is already publicly available, and no workarounds exist. Microsoft rates this zero-day vulnerability 7.8 out of 10 in severity.
- Impact: “This vulnerability could allow an attacker to delete data, including data that results in the service being unavailable,” according to CISA.
- CVE-2025-21391: Privilege Escalation in Windows Storage Link: This zero-day vulnerability affects Microsoft Windows Storage Link, responsible for handling file and folder shortcuts and symbolic links. It allows privilege escalation, data deletion, and service disruption. Microsoft rates this zero-day vulnerability 7.1 out of 10 in severity.
Microsoft states, “This vulnerability does not allow disclosure of confidential information, but could allow an attacker to delete data that could include data that results in the service being unavailable.
Researchers from Trend Micro’s Zero Day Initiative (ZDI) note this is a novel exploit, not previously observed publicly.
They add, “It’s also likely paired with a code execution bug to completely take over a system. Test and deploy this quickly.”
Additional Critical Vulnerabilities in February 2025 Patch Tuesday Update
Beyond the two critical zero-days, Microsoft’s February update addresses 63 security vulnerabilities across various products. Sophos highlights 17 flaws with a high probability of exploitation within the next 30 days. Three are particularly critical:
- CVE-2025-21379: Remote Code Execution in DHCP Client Service: This vulnerability affects the DHCP Client Service, allowing attackers to perform man-in-the-middle attacks to read or modify network communications. The attack is limited to the same network segment as the attacker.
- SSRF in Microsoft Dynamics 365 Sales: A Server-Side Request Forgery (SSRF) vulnerability in Microsoft Dynamics 365 Sales allowed authorized attackers to elevate privileges. Microsoft has fully mitigated this flaw; no user action is required.
- Remote Code Execution in Windows LDAP: An unauthenticated attacker could send a specially crafted request to a vulnerable LDAP server, causing a buffer overflow and remote code execution. According to ZDI, the lack of user interaction makes this bug wormable between affected LDAP servers.
CISA’s Urgent Call to Action
Microsoft’s lack of data on the widespread nature of these zero-day attacks, coupled with the existence of functional exploit code for CVE-2025-21418, underscores the critical need for swift patching. Immediate action is crucial to prevent data loss and system compromise. CISA’s deadline for federal agencies to implement mitigations is March 4th. All organizations are strongly urged to apply the necessary patches immediately.
