Microsoft has pushed a patch for a wormable and critical Lightweight Directory Access Protocol (LDAP) vulnerability warning that exploitation of the bug, allocated CVE-2025-21376, is likely – swift patching is urged.
The LDAP vulnerability was among the 57 vulnerabilities fixed this Patch Tuesday. Two bugs are listed as under active attack and two as publicly known. Just three in February’s light Patch Tuesday are rated critical.
Those listed as under active attack are: CVE-2025-21391, a Windows Storage EOP vulnerability (CVSS 7.1) and CVE-2025-21418, Windows Ancillary Function Driver for WinSock; also an EOP vulnerability (CVSS 7.8)
The two publicly known are CVE-2025-21194, a Microsoft Surface security feature bypass, and CVE-2025-21377, an NTLM hash disclosure.
Active Directory, your favourite attack surface
Security industry specialists at Automox also flagged that CVE-2025-21293 in Active Directory Domain Services (AD DS), which was initially disclosed during January 2025’s Patch Tuesday, is now being actively exploited with proof-of-concept scripts widely available.
“The vulnerability leverages the over-privileged “Network Configuration Operators” security group, enabling attackers to gain system-level privileges. This is accomplished by registering a malicious performance counter DLL and exploiting excessive permissions on sensitive registry keys. If successfully exploited, this CVE can grant attackers unrestricted access to an AD environment,” said senior security engineer Henry Smith.
He added in emailed comment: “To protect your systems, patch all vulnerable endpoints immediately. Until patches are applied, monitor registry keys associated with performance counters for unauthorized changes or restrict access to these permissions. Regular directory audits can also help detect and mitigate unauthorized modifications…”
LDAP vulnerability CVE-2025-21376
LDAP is a widely used cross-platform protocol for directory services authentication. It can be hardened and is not typically widely publicly facing, but it is often used by attackers after an initial compromise to run reconnaissance and then pull information about Active Directory.
As this month’s LDAP vulnerability, CVE-2025-21376, lets a remote, unauthenticated attacker run their code on an affected system simply by sending a maliciously crafted request to the target without user interaction “that makes this bug wormable between affected LDAP servers” as the Zero Day Initiative’s Dustin Childs noted in the ZDI’s blog.
It does, however, require the attacker to win a race condition; this triggers a buffer overflow which could be used to achieve RCE.
One to watch - we'd expect POCs to land swiftly.
Microsoft's monthly patches, as ever, garner far more attention than Google's quiet fixes for the latest Chrome zero day ("Chrome" shows up 58 times in CISA's "KEV" catalogue), or Oracle's monstrous quarterly patches (last month's fixed 318 vulnerabilities) but its sheer scale means that it's something of an event; if, mercifully, a somewhat less heavy one this month than last month, which saw Microsoft push out patches for 161 vulnerabilities – three listed as under attack in the wild – in the largest Patch Tuesday in five years.
