Microsoft has released security patches today to address at least 56 vulnerabilities within its Windows operating systems and associated software, which includes two zero-day weaknesses that are currently under active exploitation.
This month, all supported Windows operating systems will receive an update for a buffer overflow vulnerability known as CVE-2025-21418. Enterprises should prioritize this patch since Microsoft indicates it is being exploited, presents low attack complexity, and requires no user interaction.
Tenable senior staff research engineer Satnam Narang pointed out that since 2022, there have been nine elevation of privilege vulnerabilities in the same Windows component—three of which were reported each year—one of which in 2024 was exploited in the wild as a zero day (CVE-2024-38193).
“CVE-2024-38193 was utilized by the North Korean APT group identified as Lazarus Group to deploy a new variant of the FudModule rootkit to ensure persistence and stealth on compromised systems,” Narang explained. “It remains unclear whether CVE-2025-21418 has also been exploited by Lazarus Group.”
The second zero-day, CVE-2025-21391, represents an elevation of privilege issue within Windows Storage that could potentially allow file deletions on targeted systems. Microsoft’s advisory regarding this flaw refers to a concept called “CWE-59: Improper Link Resolution Before File Access,” highlights that no user interaction is necessary, and notes that the attack complexity is low.
Adam Barnett, lead software engineer at Rapid7, remarked that while the advisory provides minimal information and even gives a vague assurance that ‘an attacker would only be able to delete targeted files on a system,’ it would be erroneous to assume that the consequences of deleting arbitrary files would solely involve data loss or denial of service.
“As early as 2022, ZDI researchers illustrated how a determined attacker could leverage arbitrary file deletion for full SYSTEM access through techniques also involving inventive misuse of symbolic links,” Barnett noted.
One vulnerability rectified today that had been publicly disclosed previously is CVE-2025-21377, another flaw allowing an attacker to gain elevated privileges on a vulnerable Windows system. Specifically, this represents yet another Windows weakness that can be exploited to acquire NTLMv2 hashes—effectively enabling an attacker to authenticate as the targeted user without a login.
Microsoft indicates that minimal user interaction with a malicious file is required to exploit CVE-2025-21377, including selecting, inspecting, or “performing any action aside from merely opening or executing the file.”
“This characteristic linguistic evasion may be Microsoft’s method of signaling ‘if we disclosed any more, we’d reveal too much,’” Barnett stated. “Consequently, Microsoft assesses that exploitation is likely.”
The SANS Internet Storm Center maintains a useful list of all Microsoft patches released today, categorized by severity. Windows enterprise administrators would benefit from monitoring askwoody.com, which frequently reports on any patches that may cause issues.
It is becoming increasingly challenging to acquire Windows software that isn’t bundled with Microsoft’s flagship Copilot artificial intelligence (AI) feature. Last month, Microsoft began to incorporate Copilot with Microsoft Office 365, which has been rebranded to “Microsoft 365 Copilot.” Allegedly to offset the expenses of its significant AI investments, Microsoft also raised prices by 22 percent to 30 percent for upcoming license renewals and new subscriptions.
Office-watch.com reports that existing Office 365 users who are on an annual cloud license do have the choice of “Microsoft 365 Classic,” a subscription free of AI features at a lower cost, but many customers do not receive this option until they attempt to cancel their current Office subscription.
In additional patch news, Apple has released iOS 18.3.1, correcting a zero-day vulnerability (CVE-2025-24200) that has been appearing in attacks.
Adobe has rolled out security updates addressing a total of 45 vulnerabilities across InDesign, Commerce, Substance 3D Stager, InCopy, Illustrator, Substance 3D Designer, and Photoshop Elements.
Chris Goettl from Ivanti highlights that Google Chrome is also releasing an update today that will trigger updates for Chromium-based browsers, including Microsoft Edge, so watch for updates for Chrome and Edge as the week progresses.