overview

Microsoft’s latest report from Patch Tuesday highlighted fixes for a significant number of vulnerabilities, two of which are known to be under active exploitation: CVE-2025-21391 and CVE-2025-21418.  
 
CVE-2025-21391 is an elevation of privilege vulnerability in Windows Storage that has been actively exploited in the wild. This vulnerability allows a local, authenticated attacker to delete targeted files on a system, potentially leading to service disruptions. Notably, it does not permit the disclosure of confidential information.  

The vulnerability arises from improper link resolution before file access, classified under CWE-59. An attacker can exploit this flaw by creating malicious symbolic links that redirect file operations to critical system files or user data, leading to unauthorized deletion. This could result in data corruption or loss and make services or the entire system unavailable. 

CVE-2025-21418 is an elevation of privilege vulnerability in the Windows Ancillary Function Driver for WinSock (AFD.sys). This flaw allows a local, authenticated attacker to execute code with SYSTEM-level privileges by running a specially crafted program. Microsoft has confirmed active exploitation of this vulnerability in the wild.  

The vulnerability has been assigned a CVSSv3 score of 7.8, indicating high severity. Exploitation requires local access and low privileges, with no user interaction necessary. The impact on confidentiality, integrity, and availability is rated as high. 

Important considerations regarding these vulnerabilities: CVE-2025-21391 would only allow attackers to delete files on the targeted system. While this could lead to business interruptions, exploiting this CVE would only be a part of a wider attack. CVE-2025-21418, the other hand could be exploited by an attacker who has gained initial access to elevate privileges to SYSTEM access.

 

 

how avertium is protecting our customers

 

IOCs ADDED TO OUR THREAT FEEDS

At this time, there are no known IoCs associated with successful exploitation of CVE-2024-55591. Avertium remains vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive.   

 

TTPs TO MONITOR

CVE-2025-21391: Windows Storage Elevation of Privilege 

Tactic 

Technique 

Description 

Privilege Escalation 

T1068 - Exploitation for Privilege Escalation 

Attackers exploit this vulnerability to gain SYSTEM-level privileges. 

Persistence 

T1546.010 - Plist Modification 

If exploited in an automated attack, modifications to Windows storage permissions may be leveraged for persistence. 

Defense Evasion 

T1070.004 - File Deletion 

Since this vulnerability allows attackers to delete targeted files, they could use it to remove forensic evidence. 

Impact 

T1485 - Data Destruction 

If leveraged destructively, the attacker could delete key system files, causing system instability or denial-of-service (DoS). 

 

CVE-2025-21418: Windows AFD.sys Elevation of Privilege 

Tactic 

Technique 

Description 

Privilege Escalation 

T1068 - Exploitation for Privilege Escalation 

Attackers use this vulnerability to escalate privileges from low-level user access to SYSTEM. 

Defense Evasion 

T1070 - Indicator Removal on Host 

Exploitation may allow attackers to clear logs or hide evidence of their activities. 

Persistence 

T1547.002 - Boot or Logon Autostart Execution: Authentication Package 

Attackers may use SYSTEM privileges to install a malicious authentication package for persistence. 

Execution 

T1203 - Exploitation for Client Execution 

If chained with a remote execution vulnerability, attackers could use this for full system compromise. 

 

 

additional recommendations + information

Apply Patches: Microsoft has released patches to address this vulnerability as part of their January 2025 Patch Tuesday updates. Users and organizations are strongly advised to apply these updates promptly to mitigate potential risks.  

For users unable to immediately apply patches for CVE-2025-21418 and CVE-2025-21391, implementing the following workarounds can help mitigate potential exploitation risks: 

CVE-2025-21418: Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability 

  • Restrict Access to AFD.sys: Limit access to the AFD.sys driver to trusted users only. This can be achieved by modifying the file permissions to prevent unauthorized access. 
  • Disable Unnecessary Services: Identify and disable services that depend on the AFD.sys driver, if they are not essential for daily operations. This reduces the attack surface. 

CVE-2025-21391: Windows Storage Elevation of Privilege Vulnerability 

  • Restrict User Permissions: Ensure that users have the minimum necessary permissions to perform their tasks. This limits the potential impact of exploitation. 
  • Disable Unnecessary Services: Identify and disable non-essential services that interact with the Windows Storage component to reduce potential attack vectors. 

 

 

ADDITIONAL SERVICE OFFERINGS

  • Fusion MXDR  is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts.
  • Security Information and Event Management (SIEM) - Minimizing the impact of a successful ransomware or malware attack requires detecting it as early in the attack as possible. A Security Information and Event Management (SIEM) system can help an organization to accomplish this. Avertium offers a comprehensive SIEM-based approach that increases the potential for detecting a ransomware infection before it deploys. SIEM provides a holistic overview of a company’s IT environment from a single point of view in terms of its specific security events, empowering teams to detect and analyze unusual behavior. 
  • Avertium aligns your Cybersecurity Strategy with your business strategy, ensuring that your investment in security is also an investment in your business. Our Cybersecurity Strategy service includes:  
    • Strategic Security Assessments - Strengthening your security posture begins with knowing where your current program stands (NIST CSF, Security Architecture, Business Impact Analysis, Sensitive Data Inventory, Network Virtualization and Cloud Assessment). 
    • Threat Mapping – Leverage Avertium’s Cyber Threat Intelligence, getting a more informed view of your most likely attack scenarios (Threat Assessment and MITRE ATT&CK). 
    • Cyber Maturity Roadmap - Embrace a comprehensive, quantifiable, and well-organized approach to establishing and continuously enhancing your cybersecurity resilience (Policy + Procedure Development, Virtual CISO (VCISO), Training + Enablement, Tabletop Exercises, and Business Continuity + Disaster Recovery Plan).




 

SUPPORTING DOCUMENTATION

Microsoft February 2025 Patch Tuesday fixes 4 zero-days, 55 flaws 

Patch Tuesday February 2025 

CVE-2025-21418 

 

 

 
Chat With One of Our Experts



windows vulnerability Zero-Day Vulnerability Flash Notice Windows zero-day Windows Blog