Flash Notice: Actively Exploited Windows Zero-Days

overview

Microsoft’s latest report from Patch Tuesday highlighted fixes for a significant number of vulnerabilities, two of which are known to be under active exploitation: CVE-2025-21391 and CVE-2025-21418.  
 
CVE-2025-21391 is an elevation of privilege vulnerability in Windows Storage that has been actively exploited in the wild. This vulnerability allows a local, authenticated attacker to delete targeted files on a system, potentially leading to service disruptions. Notably, it does not permit the disclosure of confidential information.  

The vulnerability arises from improper link resolution before file access, classified under CWE-59. An attacker can exploit this flaw by creating malicious symbolic links that redirect file operations to critical system files or user data, leading to unauthorized deletion. This could result in data corruption or loss and make services or the entire system unavailable. 

CVE-2025-21418 is an elevation of privilege vulnerability in the Windows Ancillary Function Driver for WinSock (AFD.sys). This flaw allows a local, authenticated attacker to execute code with SYSTEM-level privileges by running a specially crafted program. Microsoft has confirmed active exploitation of this vulnerability in the wild.  

The vulnerability has been assigned a CVSSv3 score of 7.8, indicating high severity. Exploitation requires local access and low privileges, with no user interaction necessary. The impact on confidentiality, integrity, and availability is rated as high. 

Important considerations regarding these vulnerabilities: CVE-2025-21391 would only allow attackers to delete files on the targeted system. While this could lead to business interruptions, exploiting this CVE would only be a part of a wider attack. CVE-2025-21418, the other hand could be exploited by an attacker who has gained initial access to elevate privileges to SYSTEM access.

how avertium is protecting our customers

IOCs ADDED TO OUR THREAT FEEDS

TTPs TO MONITOR

CVE-2025-21391: Windows Storage Elevation of Privilege 

CVE-2025-21418: Windows AFD.sys Elevation of Privilege 

additional recommendations + information

Apply Patches: Microsoft has released patches to address this vulnerability as part of their January 2025 Patch Tuesday updates. Users and organizations are strongly advised to apply these updates promptly to mitigate potential risks.  

For users unable to immediately apply patches for CVE-2025-21418 and CVE-2025-21391, implementing the following workarounds can help mitigate potential exploitation risks: 

CVE-2025-21418: Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability 

• Restrict Access to AFD.sys: Limit access to the AFD.sys driver to trusted users only. This can be achieved by modifying the file permissions to prevent unauthorized access. 

• Disable Unnecessary Services: Identify and disable services that depend on the AFD.sys driver, if they are not essential for daily operations. This reduces the attack surface. 

CVE-2025-21391: Windows Storage Elevation of Privilege Vulnerability 

• Restrict User Permissions: Ensure that users have the minimum necessary permissions to perform their tasks. This limits the potential impact of exploitation. 

• Disable Unnecessary Services: Identify and disable non-essential services that interact with the Windows Storage component to reduce potential attack vectors. 

ADDITIONAL SERVICE OFFERINGS

• Fusion MXDR  is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts.
  
• Security Information and Event Management (SIEM) - Minimizing the impact of a successful ransomware or malware attack requires detecting it as early in the attack as possible. A Security Information and Event Management (SIEM) system can help an organization to accomplish this. Avertium offers a comprehensive SIEM-based approach that increases the potential for detecting a ransomware infection before it deploys. SIEM provides a holistic overview of a company’s IT environment from a single point of view in terms of its specific security events, empowering teams to detect and analyze unusual behavior. 
• Avertium aligns your Cybersecurity Strategy with your business strategy, ensuring that your investment in security is also an investment in your business. Our Cybersecurity Strategy service includes:  
  • Strategic Security Assessments - Strengthening your security posture begins with knowing where your current program stands (NIST CSF, Security Architecture, Business Impact Analysis, Sensitive Data Inventory, Network Virtualization and Cloud Assessment). 
  • Threat Mapping – Leverage Avertium’s Cyber Threat Intelligence, getting a more informed view of your most likely attack scenarios (Threat Assessment and MITRE ATT&CK). 
  • Cyber Maturity Roadmap - Embrace a comprehensive, quantifiable, and well-organized approach to establishing and continuously enhancing your cybersecurity resilience (Policy + Procedure Development, Virtual CISO (VCISO), Training + Enablement, Tabletop Exercises, and Business Continuity + Disaster Recovery Plan).

SUPPORTING DOCUMENTATION