Microsoft's latest security update fixes 55 vulnerabilities, including four critical zero-day flaws – two of which have been actively used in cyberattacks.
What's known
Among the fixes, 22 vulnerabilities allowed remote code execution, and 19 could allow attackers to gain elevated system privileges. Three of them were classified as “Critical”.
Two «zero-days» that are actively exploited:
- CVE-2025-21 391 – a flaw in Windows Storage that allows attackers to delete files, which can lead to system failures.
- CVE-2025-21 418 – vulnerability in Windows Ancillary Function Driver that allows hackers to gain complete access to the system.
Two other zero-days disclosed:
- CVE-2025-21 194 – a security flaw in Microsoft Surface that could allow attackers to bypass UEFI protection, related to the previous PixieFail vulnerability.
- CVE-2025-21 377 – NTLM hash substitution bug that could allow hackers to steal credentials when a user interacts with a malicious file.
Microsoft recommends that users update their systems immediately to stay protected.