Microsoft today issued security updates to fix at least 56 vulnerabilities in its Windows operating systems and supported software, including two zero-day flaws that are being actively exploited.
All supported Windows operating systems will receive an update this month for a buffer overflow vulnerability that carries the catchy name CVE-2025-21418. This patch should be a priority for enterprises, as Microsoft says it is being exploited, has low attack complexity, and no requirements for user interaction.
Tenable senior staff research engineer Satnam Narang noted that since 2022, there have been nine elevation of privilege vulnerabilities in this same Windows component — three each year — including one in 2024 that was exploited in the wild as a zero day (CVE-2024-38193).
“CVE-2024-38193 was exploited by the North Korean APT group known as Lazarus Group to implant a new version of the FudModule rootkit in order to maintain persistence and stealth on compromised systems,” Narang said. “At this time, it is unclear if CVE-2025-21418 was also exploited by Lazarus Group.”
The other zero-day, CVE-2025-21391, is an elevation of privilege vulnerability in Windows Storage that could be used to delete files on a targeted system. Microsoft’s advisory on this bug references something called “CWE-59: Improper Link Resolution Before File Access,” says no user interaction is required, and that the attack complexity is low.
Adam Barnett, lead software engineer at Rapid7, said although the advisory provides scant detail, and even offers some vague reassurance that ‘an attacker would only be able to delete targeted files on a system,’ it would be a mistake to assume that the impact of deleting arbitrary files would be limited to data loss or denial of service.
“As long ago as 2022, ZDI researchers set out how a motivated attacker could parlay arbitrary file deletion into full SYSTEM access using techniques which also involve creative misuse of symbolic links,”Barnett wrote.
One vulnerability patched today that was publicly disclosed earlier is CVE-2025-21377, another weakness that could allow an attacker to elevate their privileges on a vulnerable Windows system. Specifically, this is yet another Windows flaw that can be used to steal NTLMv2 hashes — essentially allowing an attacker to authenticate as the targeted user without having to log in.
According to Microsoft, minimal user interaction with a malicious file is needed to exploit CVE-2025-21377, including selecting, inspecting or “performing an action other than opening or executing the file.”
“This trademark linguistic ducking and weaving may be Microsoft’s way of saying ‘if we told you any more, we’d give the game away,'” Barnett said. “Accordingly, Microsoft assesses exploitation as more likely.”
The SANS Internet Storm Center has a handy list of all the Microsoft patches released today, indexed by severity. Windows enterprise administrators would do well to keep an eye on askwoody.com, which often has the scoop on any patches causing problems.
It’s getting harder to buy Windows software that isn’t also bundled with Microsoft’s flagship Copilot artificial intelligence (AI) feature. Last month Microsoft started bundling Copilot with Microsoft Office 365, which Redmond has since rebranded as “Microsoft 365 Copilot.” Ostensibly to offset the costs of its substantial AI investments, Microsoft also jacked up prices from 22 percent to 30 percent for upcoming license renewals and new subscribers.
Office-watch.com writes that existing Office 365 users who are paying an annual cloud license do have the option of “Microsoft 365 Classic,” an AI-free subscription at a lower price, but that many customers are not offered the option until they attempt to cancel their existing Office subscription.
In other security patch news, Apple has shipped iOS 18.3.1, which fixes a zero day vulnerability (CVE-2025-24200) that is showing up in attacks.
Adobe has issued security updates that fix a total of 45 vulnerabilities across InDesign, Commerce, Substance 3D Stager, InCopy, Illustrator, Substance 3D Designer and Photoshop Elements.
Chris Goettl at Ivanti notes that Google Chrome is shipping an update today which will trigger updates for Chromium based browsers including Microsoft Edge, so be on the lookout for Chrome and Edge updates as we proceed through the week.
you forgot about DC strong cert enforcement:
https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16#bkmk_certmap
if organizations have not taken action, authentication could be broken. even though the KB is old, February 2025 is when MS flips the switch: “domain controllers will move to Full Enforcement mode when the February 2025 Windows security update is installed. Authentication will be denied if a certificate cannot be strongly mapped”
You forgot a bug CVE-2025-TRUMP. That bug affects the entire country,
“By the way I’m proud to be…uh as I said…the first vice president. The first black woman. To serve with a black president. Proud to…the first black woman the supreme court. There’s so much…that we can do. Because together we..there’s nothin’. Look. This is the United States America.” – Joe Biden 7/4/24
wikipedia.org/wiki/Fire_and_Ice_(poem)
Will you morons p*ss off with your political crap. We had enough last article to last a lifetime.
I know it’s the only dopamine rush you get all day so take it back to Twitter where it belongs.
Will you morons p*ss off with your political crap. We had enough last article to last a lifetime.
I know it’s the only dopamine rush you get all day so take it back to Twitter where it belongs.
Microsoft makes it hard to cancel and get the Office 365 Personal Classic version, without Copilot. Some users were able to see it, but others were not. I was able to get a free two-month extension online. I asked for a callback. After about a 10 minute wait, someone called back from MS. She said I could cancel my subscription and switch to the Classic version, but I would lose my two month extension. OK, so if I want to keep the extra two months, I need to call back in May, when it is about to renew. Then I can cancel my Family subscription ($99 per month) and get the original $69 plan. This would be “the easiest way”, to which I disagreed.
Atomic Shrimp addressed this very issue only 2 weeks ago here;
https://youtu.be/eYVPThx7yss
I do not know what your final resolution will be or what you are prepared to accept but it may give you some options you haven’t considered. This is typical behaviour from Tech companies today dragging us all down the path of ensh*ttification.
Good luck.
I accidentally deleted Microsoft Office (2019) from my computer and it will not reinstall with the product key. I tried but do not like the Microsoft 365 Co-pilot version. Any suggestions on how to work around this to get a ‘classic’ version of Office or an alternative that includes Excel?
Install LibreOffice.
I’ve been forced to use Microsoft Word/Excel/etc. products for the last 20 years.
Except for some very special embedded technologies such as VBA macros, LibreOffice should be able to read, process, and update MS-format documents very well.
Seconded. A couple excel spreadsheets and other things made on 365 may break, most will not. Regular updates too.
agreed, MS at work due to semi monopoly/bundles, Libre at home because it’s good and not evil MS that can’t make a secure OS or office version after 40 years of failing.
Claire, you have a few options here but it all depends on your technical ability so bear with me.
As RipNoLonger pointed out above, LibreOffice is a good option, so is Google Sheets if it’s just an Excel alternative you are looking for. But, that doesn’t address the fact that you have a perfectly valid Office product key that you paid good money for.
My experience with repairing corrupted Office installs over the years has been frustrating to say the least. You should never uninstall Office without a tool like Revo Uninstaller, which will scan and remove registry markers that will otherwise impede a clean reinstall.
1. Depending on Win10 or 11. Goto installed apps in ‘Settings’ and right click the Office app. Select ‘Modify’ and this will allow you to attempt to repair a single Office programme or the whole package. Try product key again. If fail goto 2.
2. Install Revo Uninstaller (free version) and uninstall Office with it. Choose ‘Advanced’ scan after uninstall, select and delete EVERYTHING. Run ‘sfc /scannow’ in PowerShell to repair system files. Reboot and reinstall Office. If fail goto 3.
3. I know this is the nuclear option but I guarantee it will work. You need to backup all your data and reinstall Windows. If you are not comfortable doing this yourself your local Tech shop will do it for a fee, BUT you will have a fresh platform to deal with. Before installing Office, or any other programmes for that matter, run Chris Titus Tech’s Windows Utility Tool to tweak and debloat your Windows OS. Run ‘irm christitus.com/win | iex’ in PowerShell and uninstall Copilot, Recall, OneDrive and disable Microsoft telemetry. Then install Office.
I know option 3 works because I just successfully reinstalled Office 2007 and 2010 on 2 family members ageing PCs after upgrade to Win 11. The install accepted the product keys but stumbled on the ‘internet’ activation claiming the product key had been reused too many times (‘telephone’ activation is not supported for products older than Office 2016). However after all the updates and a reboot, activation completed.
Good Luck.
Thanks for the detailed breakdown, Brian! It’s good to see Microsoft addressing a wide range of vulnerabilities this month—especially that zero-day, which could have been a real headache if left unpatched. Your prompt coverage and clear explanations help us prioritize these updates and keep our systems safe.
Many thanks for all the thoughtful replies!
AI spam
It seems some Win 11 workstations are having trouble with KB5051987. KB5043080 needs to be installed at the same time. https://www.reddit.com/r/sysadmin/comments/1i2kruf/fix_for_windows_11_24h2_update_error_0x800f0838/
Apple has also enabled Apple Intelligence on 18.0.1 on devices that can use it even if previously you had disabled it. Seems all these tech giants plan for you to use AI whether you like it or not. I am still skeptical it would benefit me that much to have it enabled. Apparently it will not be a opt in choice, but I will wonder how AI will affect security going forward.