Microsoft Patch Tuesday – February 2025
Contents
⚡ TL;DR | Go Straight to the February 2025 Patch Tuesday Audit Report
Patch Tuesday is once again upon us. As always, our team has put together the monthly Patch Tuesday Report to help you manage your update progress. The audit report gives you a quick and clear overview of your Windows machines and their patching status. The February 2025 edition of Patch Tuesday brings us 56 new fixes, with 3 rated as critical and 2 exploited. We’ve listed the most important changes below.
Strong Certificate Mapping Is Fully Enforced
The first item isn’t related to a specific vulnerability, but another important matter that could impact your infrastructure.
Microsoft introduced strong certificate mapping with the May 2022 update (KB5014754) to improve security in certificate-based authentication. The update embeds the principal’s Security Identifier (SID) in issued certificates and allows domain controllers to monitor and optionally enforce strong certificate mapping. Initially, the update operated in compatibility mode, logging events for non-compliant certificates without enforcing strict mapping. However, starting with the February 2025 security updates, full enforcement will be enabled by default on domain controllers.
If you’re caught off guard, you might encounter outages for workloads using certificate-based authentication such as VPNs, Wi-Fi, RDS and others.
If you’re interested in reading more, here is a Reddit thread and some other resources that were offered there:
- https://directaccess.richardhicks.com/2025/01/27/strong-certificate-mapping-enforcement-february-2025/
- https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16#bkmk_certmap
- https://timbeer.com/strong-mapped-certificates-intune-ndes-scep/
If you want to check enforcement or opt out. Obviously you can use the mentioned registry keys and scan them using Lansweeper. The registry key report gives a nice example of how to report on them. Alternatively, you can report on the specific event from the event log, examples can be found in our report library.
Windows Ancillary Function Driver for WinSock EoP Vulnerability
The first exploited vulnerability is CVE-2025-21418. With a CVSS base score of 7.8 it isn’t necessarily that critical, but it has been exploited which makes it rise to the top of criticality. An attacker who successfully exploits this vulnerability can gain SYSTEM privileges.
The Windows Ancillary Function Driver for WinSock (AFD.sys) is a kernel-mode driver that enables network communication for applications using Windows Sockets (WinSock). It handles TCP/IP and UDP operations, acts as a bridge between applications and the network stack, and is essential for networking functions in Windows. As usual with Microsoft, they aren’t providing much more information to prevent further exploitation.
LDAP Remote Code Execution Vulnerability
Second on the list this month is CVE-2025-21376. With a CVSS base score of 8.1 and Microsoft listing that exploitation is “more likely” it is important to take note and apply patches to affected devices ASAP. An attacker without authentication could send a specially crafted request to a vulnerable LDAP server. If exploited successfully, this could trigger a buffer overflow, potentially allowing remote code execution.
Run the Patch Tuesday February 2025 Audit
To help manage your update progress, we’ve created the Patch Tuesday Audit that checks if the assets in your network are on the latest patch updates. The report has been color-coded to see which machines are up-to-date and which ones still need to be updated. As always, system administrators are urged to update their environment as soon as possible to ensure all endpoints are secured.
The Lansweeper Patch Tuesday report is automatically added to your Lansweeper Site. Lansweeper Sites is included in all our licenses without any additional cost and allows you to federate all your installations into one single view so all you need to do is look at one report, automatically added every patch Tuesday!
Patch Tuesday February 2025 CVE Codes & Titles
| CVE Number | CVE Title |
| CVE-2025-24042 | Visual Studio Code JS Debug Extension Elevation of Privilege Vulnerability |
| CVE-2025-24039 | Visual Studio Code Elevation of Privilege Vulnerability |
| CVE-2025-24036 | Microsoft AutoUpdate (MAU) Elevation of Privilege Vulnerability |
| CVE-2025-21420 | Windows Disk Cleanup Tool Elevation of Privilege Vulnerability |
| CVE-2025-21419 | Windows Setup Files Cleanup Elevation of Privilege Vulnerability |
| CVE-2025-21418 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
| CVE-2025-21414 | Windows Core Messaging Elevation of Privileges Vulnerability |
| CVE-2025-21410 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability |
| CVE-2025-21407 | Windows Telephony Service Remote Code Execution Vulnerability |
| CVE-2025-21406 | Windows Telephony Service Remote Code Execution Vulnerability |
| CVE-2025-21400 | Microsoft SharePoint Server Remote Code Execution Vulnerability |
| CVE-2025-21397 | Microsoft Office Remote Code Execution Vulnerability |
| CVE-2025-21394 | Microsoft Excel Remote Code Execution Vulnerability |
| CVE-2025-21392 | Microsoft Office Remote Code Execution Vulnerability |
| CVE-2025-21391 | Windows Storage Elevation of Privilege Vulnerability |
| CVE-2025-21390 | Microsoft Excel Remote Code Execution Vulnerability |
| CVE-2025-21387 | Microsoft Excel Remote Code Execution Vulnerability |
| CVE-2025-21386 | Microsoft Excel Remote Code Execution Vulnerability |
| CVE-2025-21383 | Microsoft Excel Information Disclosure Vulnerability |
| CVE-2025-21381 | Microsoft Excel Remote Code Execution Vulnerability |
| CVE-2025-21379 | DHCP Client Service Remote Code Execution Vulnerability |
| CVE-2025-21377 | NTLM Hash Disclosure Spoofing Vulnerability |
| CVE-2025-21376 | Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability |
| CVE-2025-21375 | Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability |
| CVE-2025-21373 | Windows Installer Elevation of Privilege Vulnerability |
| CVE-2025-21371 | Windows Telephony Service Remote Code Execution Vulnerability |
| CVE-2025-21369 | Microsoft Digest Authentication Remote Code Execution Vulnerability |
| CVE-2025-21368 | Microsoft Digest Authentication Remote Code Execution Vulnerability |
| CVE-2025-21367 | Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability |
| CVE-2025-21359 | Windows Kernel Security Feature Bypass Vulnerability |
| CVE-2025-21358 | Windows Core Messaging Elevation of Privileges Vulnerability |
| CVE-2025-21352 | Internet Connection Sharing (ICS) Denial of Service Vulnerability |
| CVE-2025-21351 | Windows Active Directory Domain Services API Denial of Service Vulnerability |
| CVE-2025-21350 | Windows Kerberos Denial of Service Vulnerability |
| CVE-2025-21349 | Windows Remote Desktop Configuration Service Tampering Vulnerability |
| CVE-2025-21347 | Windows Deployment Services Denial of Service Vulnerability |
| CVE-2025-21337 | Windows NTFS Elevation of Privilege Vulnerability |
| CVE-2025-21322 | Microsoft PC Manager Elevation of Privilege Vulnerability |
| CVE-2025-21259 | Microsoft Outlook Spoofing Vulnerability |
| CVE-2025-21254 | Internet Connection Sharing (ICS) Denial of Service Vulnerability |
| CVE-2025-21216 | Internet Connection Sharing (ICS) Denial of Service Vulnerability |
| CVE-2025-21212 | Internet Connection Sharing (ICS) Denial of Service Vulnerability |
| CVE-2025-21208 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability |
| CVE-2025-21206 | Visual Studio Installer Elevation of Privilege Vulnerability |
| CVE-2025-21201 | Windows Telephony Server Remote Code Execution Vulnerability |
| CVE-2025-21200 | Windows Telephony Service Remote Code Execution Vulnerability |
| CVE-2025-21198 | Microsoft High Performance Compute (HPC) Pack Remote Code Execution Vulnerability |
| CVE-2025-21194 | Microsoft Surface Security Feature Bypass Vulnerability |
| CVE-2025-21190 | Windows Telephony Service Remote Code Execution Vulnerability |
| CVE-2025-21188 | Azure Network Watcher VM Extension Elevation of Privilege Vulnerability |
| CVE-2025-21184 | Windows Core Messaging Elevation of Privileges Vulnerability |
| CVE-2025-21183 | Windows Resilient File System (ReFS) Deduplication Service Elevation of Privilege Vulnerability |
| CVE-2025-21182 | Windows Resilient File System (ReFS) Deduplication Service Elevation of Privilege Vulnerability |
| CVE-2025-21181 | Microsoft Message Queuing (MSMQ) Denial of Service Vulnerability |
| CVE-2025-21179 | DHCP Client Service Denial of Service Vulnerability |
| CVE-2023-32002 | HackerOne: CVE-2023-32002 Node.js `Module._load()` policy Remote Code Execution Vulnerability |
Ready to get started?
You’ll be up and running in no time.
Explore all our features, free for 14 days.