“Microsoft patched 56 CVEs, including four zero-day vulnerabilities, two of which were exploited in the wild.

“The two zero days exploited in the wild include CVE-2025-21418, an elevation of privilege vulnerability in afd.sys, the Windows Ancillary Function Driver that interfaces with the Windows Sockets API (or WinSock) to enable Windows applications to connect to the internet. The second zero day is CVE-2025-21391, an elevation of privilege flaw in the way Windows handles file storage.

“Both flaws appear to be post-compromise related, which means an attacker would need to obtain local access to a vulnerable system through other means, like exploiting another vulnerability for initial access, some type of social engineering, or compromised/weak credentials.

“In 2025, five zero days were exploited in the wild as part of Patch Tuesday, and all five were elevation of privilege flaws.

“Since 2022, there have been nine elevation of privilege vulnerabilities in the Ancillary Function Driver for WinSock, three each year, including one in 2024 that was exploited in the wild as a zero day (CVE-2024-38193). According to the reports, CVE-2024-38193 was exploited by the North Korean APT group known as Lazarus Group (also known as Hidden Cobra or Diamond Sleet) to implant a new version of the FudModule rootkit in order to maintain persistence and stealth on compromised systems. At this time, it is unclear if CVE-2025-21418 was also exploited by Lazarus Group.

“Conversely, there have been seven elevation of privilege bugs categorized as Windows Storage, including two in 2022, one in 2023 and four in 2024, though this is the first to be categorised as exploited in the wild as a zero day.” – Satnam Narang, sr. staff research engineer, Tenable