This month Microsoft released patches for 57 vulnerabilities with 3 rated “Critical” in severity.

All new patches will be approved in our patch policy.

February brings a much quieter month with fewer patches although there are two actively exploited zero-day vulnerabilities CVE-2025-21391 and CVE-2025-21418. CVE-2025-21391 is a Windows Storage Elevation of Privilege vulnerability which could allow an attacker to delete data and possibly perform other actions.

CVE-2025-21418 is a Windows Ancillary Function Driver for WinSock Elevation of Privilege vulnerability affecting all Windows desktop and server systems.

Two other CVEs publicly disclosed are CVE-2025-21177 and CVE-2025-21194. CVE-2025-21177 is an NTLM Hash Disclosure spoofing vulnerability which could allow an attacker to obtain a user’s NTLMv2 hash and authenticate as that user.

CVE-2025-21194 is a Microsoft Surface Security Feature Bypass vulnerability. Exploitation requires multiple steps and is considered difficult.

A new informational Microsoft Security Advisory ADV240001. A few new SSUs for Windows Server 2012/2012R2 and Windows 10 versions 1507.

Disclosed: CVE-2025-21194, CVE-2025-21377

Exploited: CVE-2025-21391, CVE-2025-21418

Security Update Guide

https://msrc.microsoft.com/update-guide/en-us

Microsoft Security Advisories

ADV990001 | Latest Servicing Stack Updates (Published:11/13/2018 | Last Updated:2/11/2025)

https://msrc.microsoft.com/update-guide/en-us/vulnerability/ADV990001

Reason for Revision: A Servicing Stack Update has been released for some versions of Windows.

NOTE: The Windows 10/11 Security Stack Updates are included in the monthly Cumulative Updates.

ADV240001 | Microsoft SharePoint Server Defense in Depth Update

https://msrc.microsoft.com/update-guide/vulnerability/ADV240001

We are publishing this advisory to the Security Update Guide’s Vulnerabilities tab to document the related defense in depth security updates in the Deployments tab. Generally advisories do not contain security updates. However Microsoft Engineering elected to provide them to ensure customers could ensure they are protected.

Please reference the Security Updates table or the Deployments tab to find the security update for related to your product.

Known Issues

The Windows Event Viewer might display an error related to SgrmBroker.exe.

Microsoft continues to list unresolved older problems under the Known Issues for new patches. So if you have not yet experienced one of these issues it is unlikely it will occur now.

Good resource for known issues with Windows 10/11 patches. Find the version and click on “Known issues”.

Windows release health

“Text similar to ‘The System Guard Runtime Monitor Broker service terminated with the following error: %%3489660935’. “

https://support.microsoft.com/en-us/topic/february-11-2025-kb5051974-os-builds-19044-5487-and-19045-5487-687841b4-97c9-493a-8cb8-ba3b8c077c7e

Affected platforms: Windows 10, Server 2022

Symptom:  The Windows Event Viewer might display an error related to SgrmBroker.exe, on devices that have installed Windows updates released January 14, 2025 or later. This error can be found under Windows Logs > System as Event 7023, with text similar to ‘The System Guard Runtime Monitor Broker service terminated with the following error: %%3489660935’.

This error is only observable if the Windows Event Viewer is monitored closely. It is otherwise silent and does not appear as a dialog box or notification.

SgrmBroker.exe refers to the System Guard Runtime Monitor Broker Service. This service was originally created for Microsoft Defender, but it has not been a part of its operation for a very long time. Although Windows updates released January 14, 2025 conflict with the initialization of this service, no impact to performance or functionality should be observed. There is no change to the security level of a device resulting from this issue. This service has already been disabled in other supported versions of Windows, and SgrmBroker.exe presently serves no purpose.

Note: There is no need to manually start this service or configure it in any way (doing so might trigger errors unnecessarily). Future Windows updates will adjust the components used by this service and SgrmBroker.exe. For this reason, please do not attempt to manually uninstall or remove this service or its components.

Workaround: No specific action is required, however, the service can be safely disabled in order to prevent the error from appearing in Event Viewer. To do so, you can follow these steps:

Open a Command Prompt window. This can be accomplished by opening the Start menu and typing ‘cmd’. The results will include “Command Prompt” as a System application. Select the arrow to the right of “Command Prompt” and select “Run as administrator”.

Once the window is open, carefully enter the following text: sc.exe config sgrmagent start=disabled

A message may appear afterwards. Next, enter the following text: reg add HKLM\System\CurrentControlSet\Services\SgrmBroker /v Start /d 4 /t REG_DWORD

Close the Command Prompt window.

This will prevent the related error from appearing in the Event Viewer on subsequent device start up. Note that some of these steps might be restricted by group policy set by your organization.

Status: We are working on a resolution and will provide an update in an upcoming release.

Monthly Rollup/Security Only/Windows 10,11/Server 2016,2019,2022,2025 KBs

Links are https://support.microsoft.com/en-us/help/####### with the KB number only.

Security and Quality Rollup

• KB5052042 – Windows Server 2012 R2 (ESU)
• KB5052020 – Windows Server 2012 (ESU)

Cumulative Updates

Windows 10

• KB5052040 – Original release version 1507 (OS Build 10240)
• KB5052006 – Version 1607 “Anniversary Update” (OS Build 14393)
• KB5052000 – Version 1809 “October 2018 Update” (OS Build 17763)
• KB5051974 – Version 21H2 “November 2021 Update” (OS Build 19044)
• KB5051974 – Version 22H2 “November 2022 Update” (OS Build 19045)

(Versions 1511,1703,1709,1803,1903,1909,2004,20H2,21H1 are no longer under support)

Windows 11

• KB5051989 – 22H2 (OS Build 22621)
• KB5051989 – 23H2 (OS Build 22631)
• KB5051987 – 24H2 (OS Build 26100)

(Version 21H2 is no longer under support)

Windows Server

• KB5052006 – Server 2016 (same KB as Windows 10 Version 1607)
• KB5052000 – Server 2019 (same KB as Windows 10 Version 1809)
• KB5051979 – Server 2022 (OS Build 20348)
• KB5051980 – Server 23H2 (OS Build 25398)
• KB5051987 – Server 2025 (OS Build 26100)

Internet Explorer

• KB5051972 – Cumulative security update for Internet Explorer

February 2025 updates for Microsoft Office

https://support.microsoft.com/en-us/topic/february-2025-updates-for-microsoft-office-eda7bb33-d6af-4428-b7b7-a06a81757e35

Notable CVEs

CVE-2025-21194 | Microsoft Surface Security Feature Bypass Vulnerability

http://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-21194

Successful exploitation of this vulnerability requires multiple conditions to be met, such as specific application behavior, user actions, manipulation of parameters passed to a function, and impersonation of an integrity level token. Successful exploitation of this vulnerability requires that an attacker will need to first gain access to the restricted network before running an attack. Successful exploitation of this vulnerability by an attacker requires a user to first reboot their machine.

Surface devices get updates through Windows Update.

CVE-2025-21376 | Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)

https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-21376

Successful exploitation of this vulnerability requires an attacker to win a race condition. An unauthenticated attacker could send a specially crafted request to a vulnerable LDAP server. Successful exploitation could result in a buffer overflow which could be leveraged to achieve remote code execution.

CVE-2025-21377 | NTLM Hash Disclosure Spoofing Vulnerability (Cumulative Update/Monthly Rollup)

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-21377

This vulnerability discloses a user’s NTLMv2 hash to the attacker who could use this to authenticate as the user. Minimal interaction with a malicious file by a user such as selecting (single-click), inspecting (right-click), or performing an action other than opening or executing the file could trigger this vulnerability.

CVE-2025-21379 | DHCP Client Service Remote Code Execution Vulnerability (Cumulative Update)

https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-21379

The attacker must inject themselves into the logical network path between the target and the resource requested by the victim to read or modify network communications. This is called a machine-in-the-middle (MITM) attack. This attack is limited to systems connected to the same network segment as the attacker. The attack cannot be performed across multiple networks (for example, a WAN) and would be limited to systems on the same network switch or virtual network.

CVE-2025-21381 | Microsoft Excel Remote Code Execution Vulnerability (KB5002687, Click to Run)

https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-21381

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. Yes, the Preview Pane is an attack vector.

CVE-2025-21391 | Windows Storage Elevation of Privilege Vulnerability (Cumulative Update)

http://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-21391

An attacker would only be able to delete targeted files on a system. This vulnerability does not allow disclosure of any confidential information, but could allow an attacker to delete data that could include data that results in the service being unavailable.

CVE-2025-21418 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability (Cumulative Update/Monthly Rollup)

http://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-21418

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.