After dumping patches on us last month, Microsoft must have felt sorry for us this month because, size-wise, we’re only getting 38% of the updates we had last month. Admins can breathe a further sign of relief when they realize that CVE-2025-21177 is information (it was already patched by Microsoft server side) and several of the CVEs may not apply in their environment.
While we see the usual updates this month, there are a pair of mobile updates that admins will likely not be as concerned about. There are also several updates to Internet Connection Sharing (ICS), which is not commonly found in enterprise environments. Finally, there are a pair of updates for Visual Studio Code, which, in most environments, will update automatically with a restart of the application.
There are 6 CVEs that stood out to me this month to call attention to… they include 2 exploited CVEs, 2 publicly disclosed CVEs, the only CVE with a critical CVSS score, and a single CVE that is marked as no customer action required.
The pair of exploited CVEs include CVE-2025-21391, a vulnerability in Windows storage that could allow a local attacker to delete files on the system and CVE-2025-21418, a vulnerability in Windows AFD for WinSock that could lead to privilege escalation to SYSETM for a local attacker.
While both of these vulnerabilities are rated Important by Microsoft has have CVSS scores in the 7.x range, I would treat the Windows AFD for WinSock vulnerability as critical when it comes to patching, given that it has seen active exploitation.
The pair of publicly disclosed vulnerabilities include this month CVE-2025-21194, a vulnerability impacting Microsoft Surface products, and CVE-2025-21377, an NTLM Hash Disclosure vulnerability.
Given that the Microsoft Surface vulnerability is hardware specific, this may limit the number of impacted environments.
The only vulnerability to rate at or above a CVSS 9.0 this month is CVE-2025-21198, which is rated at exactly a 9.0. This vulnerability impacts the Linux agent in High Performance Compute clusters and requires that an attacker have access to the network used to connect the cluster in order to perform a remote attack against the agent. This networking requirement should limit the impact of what would otherwise be a more serious vulnerability.
Finally, I want to call attention to CVE-2025-21177, a vulnerability in Microsoft Dynamics 365 Sales. This vulnerability has already been resolved by Microsoft and makes use of the newer CAR (Customer Action Required) attribute to identify that there’s no customer actions required. While these information updates are nice, they can bloat the number of updates that admins may be worried about dealing with on a Patch Tuesday. One can’t help but wonder if these updates should be issued outside of Patch Tuesday since they do not require customer action.
Fortra® Security & Trust Center
Security advisories. Emerging threats. New discoveries from our team of security researchers. Timely notifications.
