Cyber threats don’t take a break, and February 2025 proved just that. This month, we saw some serious vulnerabilities that could cause major problems if not patched quickly. From remote code execution flaws in Windows to security gaps that could give hackers control of your systems, it’s clear that the danger is real and urgent.
In this roundup, we’re breaking down the most impactful CVEs disclosed this month, highlighting their risks, affected systems, and why security teams need to act fast.
CVE-2025-0108 is a critical authentication bypass vulnerability in the management web interface of Palo Alto Networks’ PAN-OS software. This flaw allows unauthenticated attackers with network access to the management interface to bypass authentication and invoke specific PHP scripts, potentially compromising the system’s integrity and confidentiality.
The vulnerability arises from improper handling of web requests by the management interface, enabling attackers to bypass authentication mechanisms and access certain PHP scripts. While this does not permit remote code execution, it poses significant risks to the system’s integrity and confidentiality.


Attackers with network access to the management web interface can exploit this vulnerability to bypass authentication and invoke specific PHP scripts. Successful exploitation can lead to unauthorised access, potentially compromising the system’s integrity and confidentiality. Notably, there have been observed attempts to chain this vulnerability with others, such as CVE-2024-9474 and CVE-2025-0111, to enhance the attack’s impact.
To mitigate this vulnerability, it is essential to:
1. Restrict Access: Limit access to the management web interface to trusted internal IP addresses, following Palo Alto Networks’ critical deployment guidelines.
2. Apply Patches: Upgrade to the fixed PAN-OS versions:
This CVE has been added to CISA’s Known Exploited Vulnerabilities Catalog, underscoring the urgency for remediation. Organisations using affected PAN-OS versions should apply the recommended patches promptly and ensure that management interfaces are not exposed to untrusted networks.
CVE-2025-21418 is a significant elevation of privilege vulnerability in the Windows Ancillary Function Driver (AFD.sys) for WinSock. This flaw allows authenticated attackers to execute code with SYSTEM privileges, potentially leading to full system compromise.
The vulnerability resides in the AFD.sys driver, which interfaces with the Windows Sockets API to facilitate network communications for Windows applications. An authenticated user can exploit this flaw by running a specially crafted program, enabling the execution of arbitrary code with SYSTEM-level privileges. This type of vulnerability is often combined with a code execution exploit to achieve complete system takeover.


To exploit this vulnerability, an attacker must have local authenticated access to the target system. By executing a specially crafted program, the attacker can elevate their privileges to SYSTEM level, gaining complete control over the system. This vulnerability has been actively exploited in the wild, underscoring the urgency for remediation.
To mitigate this vulnerability, it is essential to:
This CVE has been added to CISA’s Known Exploited Vulnerabilities Catalog, highlighting its significance and the necessity for immediate action. Organizations are strongly advised to apply the recommended patches and follow mitigation strategies to protect their systems from potential exploitation.
For more detailed information, refer to Microsoft’s official security advisory and the National Vulnerability Database entry for CVE-2025-21418.
CVE-2025-21400 is a remote code execution (RCE) vulnerability in Microsoft SharePoint Server. This vulnerability allows authenticated attackers with user interaction to execute arbitrary code on the affected server.
An attacker with valid credentials can exploit this vulnerability by convincing a user to connect to a malicious server. Successful exploitation enables the attacker to execute arbitrary code within the context of the SharePoint application pool or server farm account.

1. Severity: High
2. CVSS Score: 8.0
3. Impact: High (affecting Confidentiality, Integrity, and Availability)
4. Affected Products:
5. Vulnerability Type: Remote Code Execution (RCE)
6. Exploitability: Exploitation requires valid credentials and user interaction.
7. Authentication: Required for exploitation.

To mitigate this vulnerability, it is essential to:
This vulnerability was addressed in Microsoft’s February 2025 Patch Tuesday release. Administrators are strongly advised to prioritize the deployment of the relevant patches to prevent potential exploitation.
CVE-2025-21420 is a significant elevation of privilege vulnerability in the Windows Disk Cleanup Tool (cleanmgr.exe). This flaw allows attackers to gain SYSTEM-level privileges on affected Windows systems by exploiting the tool’s improper handling of symbolic links.
The vulnerability arises from the Disk Cleanup Tool’s failure to correctly resolve symbolic links before accessing files. An attacker with local access can create a malicious symbolic link that the tool processes, leading to unauthorised file operations and potential elevation to SYSTEM privileges.


An attacker with local access can exploit this vulnerability by creating a crafted symbolic link that the Disk Cleanup Tool processes. This manipulation can lead to unauthorised file operations, allowing the attacker to execute arbitrary code with SYSTEM privileges.
To address this vulnerability:
This vulnerability was addressed in Microsoft’s February 2025 Patch Tuesday updates. A proof-of-concept exploit demonstrating the flaw was published, underscoring the importance of prompt patch application. Organisations are urged to update their systems immediately to prevent potential exploitation.
CVE-2025-21376 is a critical remote code execution vulnerability in Microsoft’s Windows Lightweight Directory Access Protocol (LDAP) implementation. This flaw allows attackers to execute arbitrary code remotely by sending specially crafted requests to a vulnerable LDAP server, potentially leading to unauthorised system control.

1. Severity: High
2. CVSS Score: 8.1
3. Impact: High (affecting Confidentiality, Integrity, and Availability)
4. Affected Products:
5. Vulnerability Type: Remote Code Execution (RCE)
6. Exploitability: The vulnerability is considered “wormable,” meaning it can propagate across networks without user interaction.
7. Authentication: None required for exploitation.
ExploitationAn attacker can exploit this vulnerability by sending a specially crafted request to a vulnerable LDAP server, triggering a buffer overflow that allows for arbitrary code execution. Due to its wormable nature, the exploit can spread rapidly across networks, similar to past outbreaks like WannaCry.
To mitigate this vulnerability, it is essential to:
Microsoft disclosed this vulnerability on February 11, 2025, as part of its February 2025 Patch Tuesday release. Due to its critical nature and potential for rapid propagation, it is imperative to apply the provided security updates promptly to protect systems from potential exploitation.
February 2025’s top CVEs highlight the constant evolution of cyber threats. From critical exploits to stealthy privilege escalation flaws, these risks demand swift action. Prioritizing the most severe vulnerabilities can make all the difference in keeping systems secure. For deeper insights and practical strategies to tackle these threats, explore Strobes’ Vulnerability Intelligence platform.
The post Top CVEs & Vulnerabilities February 2025 appeared first on Strobes Security.
*** This is a Security Bloggers Network syndicated blog from Strobes Security authored by Shubham Jha. Read the original post at: https://strobes.co/blog/top-cves-vulnerabilities-february-2025/