For February’s Patch Tuesday, Microsoft rolls out 63 updates

Microsoft released 63 patches for Windows, Microsoft Office, and developer platforms in this week’s Patch Tuesday update. The February release was a relatively light update, but it comes with significant testing requirements for networking and remote desktop environments. 

Two zero-day Windows patches (CVE-2025-21391 and CVE-2025-21418) have been reported as exploited and another Windows update (CVE-2025-21377) has been publicly disclosed — meaning IT admins get a “Patch Now” recommendation for this month’s Windows updates. (All other Microsoft platforms can be handled with a standard update schedule — and there were no updates for Microsoft Exchange and SQL Server.)

To navigate these changes, the team from Readiness has provided a detailed infographic exploring the deployment risks.

(For information on the last six months of Patch Tuesday releases, see our round-up here.)

Known issues 

Microsoft identified three ongoing issues affecting users of Windows 10, Citrix, and Windows Server 2022 this month, including:

Windows 10/11 and Sever 2022: Enterprise Windows customers are still reporting SSH connection issues since the October 2024 update. Microsoft is investigating the issue, but has no published fixes or mitigating actions. It’s a challenge for Microsoft since the service failure does not generate logs or error messages.

Citrix: Microsoft’s January updates — and potentially this month’s releases — are still affected by the Citrix Session Recording Agent (SRA) preventing the successful installation of Microsoft patches. This is an ongoing issue with no fixes yet, though we expect the number of users affected is much lower than the SSH service issue.

Microsoft’s System Guard Runtime Monitor Broker Service (SGMBS) may be causing system level crashes and telemetry issues with the event viewer log since last month’s Patch Tuesday release. Microsoft technical support has offered a registry level change to update the service and mitigate the issue. We expect an update from Microsoft later this month on a more permanent resolution. 

Major revisions and mitigations

As of Feb. 14, the Readiness team has not received any published revisions or updates. Microsoft did offer a mitigation for a serious vulnerability in Microsoft Outlook (CVE-2025-21298). Perhaps less helpful than you’d expect, Microsoft recommends viewing emails in plain text to mitigate this critical remote code execution (RCE) vulnerability, which could otherwise grant attackers control over the target system.

Windows lifecycle and enforcement updates

Microsoft published no enforcement updates this month, but the following products are nearing  their end-of-service life cycles:

Windows 11 Enterprise and Education, Version 22H2 — Oct. 14, 2025

Windows Server Annual Channel, Version 23H2 — Oct. 24, 2025

Windows 11 Home and Pro, Version 23H2 — Nov. 11, 2025

Each month, the Readiness team provides detailed, actionable testing guidance for the latest Patch Tuesday updates based on assessing a large app portfolio and a offering comprehensive analyses of the patches and their potential impact on Windows and application deployments.

For this cycle, we grouped the critical updates and required testing efforts into different functional areas, including:

Networking and Remote Desktop services

Winsock: Microsoft advises that a multipoint socket (type c_root) is created and employed with the following operations: bind, connect, and listen. The socket should close successfully.

DHCP: Create test scenarios to validate Windows DHCP client operations (discover, offer, request, and acknowledgment (ACK)).

RDP: Ensure that you can configure Microsoft RRAS servers through netsh commands.

ICS: Ensure that Internet Connection Sharing (ICS) can be configured over Wi-Fi.

FAX/Telephony: Ensure that your test scenarios include TAPI (Telephony Application Programming Interface) initialization and shutdown operations. Since these tests require an extended runtime, allocate extra time for them.

Local Windows File System and storage

Ensure that File Explorer correctly renders URL file icons. Microsoft recommends testing the Storage Sense clean-up tool. If disk quotas are enabled, confirm that all I/O workloads function as expected.

Local and domain security

Domain controllers should continue to support certificate logons after applying the updates.

Kerberos: Microsoft recommends creating authentication scenarios for domain-joined systems, using local and encrypted login methods.

If you have the time and resources (VMs and networking), the Readiness team strongly recommends building a test Remote Desktop environment that includes a connection broker, remote desktop gateway, and remote desktops on virtual machines. After setting up each component, verify that all RDP connections are established successfully.

This month, testing Microsoft’s ICS functionality requires an extended test plan covering the following areas:

Usability testing: Create test scenarios to verify that the process of enabling/disabling ICS functions as expected.

Validation: Microsoft recommends confirming that Network Address Translation (NAT) correctly translates private IP addresses to that of the shared connection.

Security: Ensure that ICS traffic adheres to existing firewall rules and does not create unintended security risks.

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings: 

Browsers (Microsoft IE and Edge) 

Microsoft Windows (both desktop and server) 

Microsoft Office

Microsoft Exchange and SQL Server 

Microsoft Developer Tools (Visual Studio and.NET)

Adobe (if you get this far) 

Browsers

Microsoft released a larger-than-normal number of patches for the Edge browser this month — 10, all rated important. These updates are a mix of Chromium (CVE-2025-0444, CVE-2025-0445 and CVE-2025-0451) and Edge patches that deal with memory related security vulnerabilities. All of these low-profile changes can be added to your standard release calendar.

Microsoft Windows

These areas have been updated with two critical patches and 35 important patches this patch cycle:

Win32 and Kernel Services

Remote Desktop, RAS  and Internet Connection Sharing (ICS)

Kerberos, DHCP  and Windows Networking

Microsoft Active Directory and Windows Installer

Though the Windows NTLM patch (CVE-2025-21377) has been rated important, it has been publicly disclosed. Two more updates (both rated important) affecting storage (CVE-2025-21391) and networking (CVE-2025-21418) have reportedly been exploited in the wild. These reports raise the stakes for an otherwise low-profile Windows update, so the Readiness team recommends a “Patch Now” schedule for these.

Microsoft Office

Microsoft released a single critical update for Microsoft Excel and nine more rated as important for Microsoft Office and the SharePoint platforms. None of these  vulnerabilities have been reported as exploited or publicly disclosed. So, add these Office updates to your standard release calendar.

Microsoft Exchange and SQL Server

No updates were released for either Microsoft Exchange or SQL Server this month. 

Developer Tools

Microsoft released four updates to Microsoft Visual Studio, all of which are rated important. One of these updates (CVE-2023-32002) may look a little odd as the date refers to 2023, not 2025. However, it appears legitimate. Though it has been categorized under Microsoft’s Visual Studio product grouping, this patch attempts to resolve a vulnerability in Node.js. Add these updates (even the funny looking ones) to your standard developer release schedule.

Adobe (and 3rd party updates)

Microsoft did not push out any Adobe updates. However, HackerOne required a patch to the developer framework Node.js to resolve a network related vulnerability (CVE-2025-21418).