Microsoft fixes 63 vulnerabilities, including 2 zero-days – CyberScoop
Microsoft patched 63 vulnerabilities affecting some of its underlying systems and core products, the company said in its latest security update Tuesday, including Microsoft Excel, Microsoft Office, Windows CoreMessaging and Windows Storage.
More than two-thirds of the vulnerabilities covered in the update are high-severity flaws on the CVSS scale. Vulnerabilities with high-severity base scores run across multiple Microsoft systems, impacting Windows Telephony Service, Windows Ancillary Function Driver, Microsoft Dynamics 365 Sales and other key services.
The vendor’s monthly batch of patches addresses two actively exploited zero-day vulnerabilities: privilege escalation flaws in Windows Storage, tracked as CVE-2025-21391, and Windows Ancillary Function Driver for WinSock, tracked as CVE-2025-21418.
The actively exploited vulnerability in Windows Storage, an improper link resolution before file access defect with a CVSS score of 7.1, allows an attacker to delete targeted files on a system. Microsoft said the vulnerability doesn’t put confidential data at risk, but noted it could allow an attacker to delete data, rendering the service inoperable.
Attackers who combine CVE-2025-21391 exploits with other vulnerabilities could escalate privileges and cause more severe damage, according to Mike Walters, president and co-founder of Action1.
“Large organizations with numerous Windows systems are at significant risk due to the widespread use of Windows Storage features,” Walters said in an email. “Given the ubiquity of Windows operating systems in business environments, potentially millions of organizations worldwide could be at risk. The actual number depends on Windows version adoption rates and existing security measures.”
The second zero-day addressed by Microsoft, a heap-based overflow vulnerability impacting Windows Ancillary Function Driver for WinSock, allows an attacker to gain system privileges and carries a CVSS score of 7.8.
Adam Barnett, lead software engineer at Rapid7, said in an email that organizations have used the Windows Ancillary Function Driver for foundational networking functionality for decades, effectively as a kernel driver that interacts with large amounts of user-supplied input.
“Microsoft is aware of existing exploitation in the wild, and with low attack complexity, low privilege requirements, and no requirement for user interaction, CVE-2025-21418 is one to prioritize for patching,” Barnett told CyberScoop.
Microsoft designated nine of the vulnerabilities addressed in the security update as “more likely” to be exploited. The majority of those defects carry high-severity scores on the CVSS scale, including CVE-2025-21400, a remote-code execution flaw in Microsoft SharePoint Server, and a pair of privilege escalation vulnerabilities in Windows CoreMessaging, CVE-2025-21184 and CVE-2025-21358.
“Microsoft’s exploitability likelihood rating is somewhat opaque, but to add more context about the nine vulnerabilities labeled likely to be exploited, we know that they all had low or no privileges required to exploit, and two of them had public exploit code available,” Jackson Rolf, security analyst at Censys, said in an email to CyberScoop.
Rolf noted that six of the vulnerabilities addressed by Microsoft this month are remote-code execution flaws impacting the Windows Telephony Service. The group of flaws carry low attack complexity and don’t require privileges for exploitation, he added.
The sole critical-severity vulnerability covered in Microsoft’s security update, CVE-2025-21198, is a remote-code execution flaw impacting the Linux agent in Microsoft High Performance Compute clusters. It requires an attacker to have access to the network connected to the targeted cluster or Linux compute node.
The full list of vulnerabilities addressed this month is available in Microsoft’s Security Response Center.
The post Microsoft fixes 63 vulnerabilities, including 2 zero-days appeared first on CyberScoop.
–
Read More – CyberScoop
