Essential Browser Security Updates You Need to Know

➡️ Register for Patch Tuesday Webinar Series: https://www.ivanti.com/lp/webinar-series/patch-tuesday
➡️ Download slides here: https://www.ivanti.com/resources/patch-tuesday
➡️ Watch the full clip here: https://youtu.be/ojvY_mN7CMc

Browsers are vulnerable and need regular updates to stay secure. Organizations are focusing on multiple remediation strategies and recommend weekly updates. Recent updates from Apple tackle a USB vulnerability in iPhones and iPads that could allow unauthorized access, posing a significant risk to high-profile users and their sensitive information.

Feb Patch Tuesday is ramping up with releases from Adobe & Microsoft and an expected release from Google. Adobe resolved 45 CVEs across seven updates. The largest and highest priority is Adobe Commerce, which resolves 30 CVEs. Microsoft is coming down off a huge January release and only resolved 56 new CVEs this February. There are two new zero-day exploits and a revised Secure Boot zero-day in the mix, making the Windows OS a top priority this month.

Microsoft exploited vulnerabilities
Microsoft has resolved an Elevation of Privilege vulnerability in Windows Ancillary Function Driver for WinSock (CVE-2025-21418). The vulnerability is rated Important and has a CVSSv3.1 score of 7.8. The vulnerability affects all Windows editions from Windows 10 to 11 and Server 2008 to Server 2025. Microsoft has confirmed that this CVE is exploited in the wild. An attacker who exploited this vulnerability could gain SYSTEM privileges. Risk-based prioritization warrants treating this vulnerability as Critical.

Microsoft has resolved an Elevation of Privilege vulnerability in Windows Storage (CVE-2025-21391). The vulnerability is rated Important and has a CVSSv3.1 score of 7.1. The vulnerability affects Windows 10 to 11 and Server 2016 to Server 2025. Microsoft has confirmed that this CVE is exploited in the wild. Risk-based prioritization warrants treating this vulnerability as Critical.

Microsoft has revised the previously resolved Security Feature Bypass in Secure Boot (CVE-2023-24932). The vulnerability is rated Important and has a CVSSv3.1 score of 6.7. The vulnerability was updated to include Windows 11 24H2 and Server 2025 as they are also affected by this known exploited and publicly exploited vulnerability. Additionally, Microsoft has released a more comprehensive update to all affected versions to fully protect against this vulnerability. Risk-based prioritization warrants treating this vulnerability as Critical.

Microsoft publicly disclosed vulnerabilities
Microsoft has resolved a Spoofing Vulnerability in NTLM Hash Disclosure (CVE-2025-21377). The vulnerability is rated Important and has a CVSSv3.1 score of 6.5. The vulnerability affects all Windows editions from Windows 10 to 11 & Server 2008 to Server 2025. Microsoft has confirmed that this CVE is publicly disclosed. The temporal metrics indicate Exploit Code Maturity is Functional, further increasing the risk of exploitation. Risk-based prioritization warrants treating this vulnerability as Critical.

Microsoft has resolved a Security Feature Bypass in Microsoft Surface (CVE-2025-21194). The vulnerability is rated Important and has a CVSSv3.1 score of 7.1. The vulnerability affects Microsoft Surface and Surface Dev Kit systems. Microsoft has confirmed that this vulnerability is publicly disclosed, but the code maturity is unproven.

3rd-party vulnerabilities
Adobe released updates for InDesign, Commerce, Substance 3D Stager, InCopy, Illustrator, Substance 3D Designer and Photoshop Elements, resolving a total of 45 CVEs. Six of the updates are Priority 3. Adobe Commerce is set to Priority 1. The Commerce update resolves 30 of the 45 total CVEs Adobe resolved this month and warrants more immediate attention.

Google Chrome is expected to update later today, which will trigger updates for Chromium-based browsers including Microsoft Edge, so be on the lookout for Chrome and Edge updates as we proceed through the week.

Ivanti security advisory
Ivanti has released five product updates resolving 11 CVEs, four of which are Critical. The affected products include Ivanti Cloud Service Application, Ivanti Neurons for MDM, Ivanti Connect Secure, Ivanti Policy Secure and Ivanti Secure Access Client. At the time of release, Ivanti is not aware of any exploitation or public discloses for the 11 resolved CVEs. For more information, see the February Security Advisory page.

Chapters

0:00 Browser and Device Security

2:01 Urgent Security Updates

2:22 High-Profile Security Risks