February Patch Tuesday is ramping up with releases from Adobe and Microsoft and an expected release from Google. Adobe resolved 45 CVEs across seven updates. The largest and highest priority is Adobe Commerce, which resolves 30 CVEs. Microsoft is coming down off a huge January release and only resolved 56 new CVEs this February. There are two new zero-day exploits and a revised Secure Boot zero-day in the mix, making the Windows OS a top priority this month.
Microsoft exploited vulnerabilities
Microsoft has resolved an Elevation of Privilege vulnerability in Windows Ancillary Function Driver for WinSock (CVE-2025-21418). The vulnerability is rated Important and has a CVSSv3.1 score of 7.8. The vulnerability affects all Windows editions from Windows 10 to 11 and Server 2008 to Server 2025. Microsoft has confirmed that this CVE is exploited in the wild. An attacker who exploited this vulnerability could gain SYSTEM privileges. Risk-based prioritization warrants treating this vulnerability as Critical.
Microsoft has resolved an Elevation of Privilege vulnerability in Windows Storage (CVE-2025-21391). The vulnerability is rated Important and has a CVSSv3.1 score of 7.1. The vulnerability affects Windows 10 to 11 and Server 2016 to Server 2025. Microsoft has confirmed that this CVE is exploited in the wild. Risk-based prioritization warrants treating this vulnerability as Critical.
Microsoft has revised the previously resolved Security Feature Bypass in Secure Boot (CVE-2023-24932). The vulnerability is rated Important and has a CVSSv3.1 score of 6.7. The vulnerability was updated to include Windows 11 24H2 and Server 2025 as they are also affected by this known exploited and publicly exploited vulnerability. Additionally, Microsoft has released a more comprehensive update to all affected versions to fully protect against this vulnerability. Risk-based prioritization warrants treating this vulnerability as Critical.
Microsoft publicly disclosed vulnerabilities
Microsoft has resolved a Spoofing Vulnerability in NTLM Hash Disclosure (CVE-2025-21377). The vulnerability is rated Important and has a CVSSv3.1 score of 6.5. The vulnerability affects all Windows editions from Windows 10 to 11 and Server 2008 to Server 2025. Microsoft has confirmed that this CVE is publicly disclosed. The temporal metrics indicate Exploit Code Maturity is Functional, further increasing the risk of exploitation. Risk-based prioritization warrants treating this vulnerability as Critical.
Microsoft has resolved a Security Feature Bypass in Microsoft Surface (CVE-2025-21194). The vulnerability is rated Important and has a CVSSv3.1 score of 7.1. The vulnerability affects Microsoft Surface and Surface Dev Kit systems. Microsoft has confirmed that this vulnerability is publicly disclosed, but the code maturity is unproven.
Third-party vulnerabilities
Adobe released updates for InDesign, Commerce, Substance 3D Stager, InCopy, Illustrator, Substance 3D Designer and Photoshop Elements, resolving a total of 45 CVEs. Six of the updates are Priority 3. Adobe Commerce is set to Priority 1. The Commerce update resolves 30 of the 45 total CVEs Adobe resolved this month and warrants more immediate attention.
Google Chrome is expected to update later today, which will trigger updates for Chromium-based browsers including Microsoft Edge, so be on the lookout for Chrome and Edge updates as we proceed through the week.