Microsoft has released 63 patches for Windows, Microsoft Office, and developer platforms as part of the February Patch Tuesday update. It’s a relatively light update with significant testing requirements for networking and remote desktop environments. Two zero-day Windows patches (CVE-2025-21391 and CVE-2025-21418) have been reported as exploited and a further Windows update (CVE-2025-21377) has been publicly disclosed. This leads to a “Patch Now” recommendation for this month’s Windows updates. All other Microsoft platforms can be deployed with a standard update schedule, noting that there are no updates for Microsoft Exchange and SQL Server.
To help navigate these changes to their platforms, the team from Readiness has provided a helpful infographic detailing the risks of deploying updates to each platform.
Known Issues
Microsoft has identified three ongoing issues affecting users of Windows 10, Citrix, and Windows Server 2022 this month, including:
- Windows 10/11 and Sever 2022: Enterprise Windows customers are still reporting SSH connection issues since last year’s October Patch Tuesday update. Microsoft is investigating the issue, with no published updates or mitigating actions. This issue poses a challenge for Microsoft since the service failure does not generate logs or error messages.
- Citrix: Microsoft’s January updates, and potentially this month’s patch releases are still affected by the Citrix Session Recording Agent (SRA) preventing the successful installation of Microsoft patches. This is an ongoing issue with no published fixes, though we expect that the number of users affected is much lower than the reported SSH service issue.
- Microsoft’s System Guard Runtime Monitor Broker Service (SGMBS) may be causing system level crashes and telemetry issues with the event viewer log since last month’s (January) Patch Tuesday release. Microsoft technical support has offered a registry level change to update the service and mitigate the issue. We expect an update from Microsoft later this month on a more permanent resolution.
Major Revisions and Mitigations
At the time of writing, the Readiness team has not received any published revisions or updates to this month’s January updates. Microsoft has offered a mitigation for a serious vulnerability in Microsoft Outlook (CVE-2025-21298). Perhaps not as helpful as one might expect, Microsoft recommends viewing emails in plain text to mitigate this critical remote code execution (RCE) vulnerability, which could otherwise grant attackers control over the target system.
Windows Lifecycle and Enforcement Updates
Microsoft has not published any enforcement updates this month, but we have the following Microsoft products reaching their end of service life cycles:
- Windows 11 Enterprise and Education, Version 22H2 – October 14th, 2025
- Windows Server Annual Channel, Version 23H2 – October 24, 2025
- Windows 11 Home and Pro, Version 23H2 – November 11, 2025
Each month, the team at Readiness analyzes the latest Patch Tuesday updates from Microsoft and provides detailed, actionable testing guidance. This guidance is based on assessing a large application portfolio and a comprehensive analysis of the Microsoft patches and their potential impact on Windows platforms and application deployments.
For this February release cycle from Microsoft, we have grouped the critical updates and required testing efforts into different functional areas, including:
Networking and Remote Desktop Services
- Winsock: Microsoft advises that a multipoint socket (type c_root) is created and employed with the following operations: bind, connect, and listen. The socket should close successfully.
- DHCP: Create test scenarios to validate Windows DHCP client operations (discover, offer, request, and acknowledgment (ACK)).
- RDP: Ensure that you can configure Microsoft RRAS servers through netsh commands.
- ICS: Ensure that Internet Connection Sharing (ICS) can be configured over Wi-Fi.
- FAX/Telephony: Ensure that your test scenarios include TAPI (Telephony Application Programming Interface) initialization and shutdown operations. Since these tests require an extended runtime, allocate additional time in your project plan.
Local Windows File System and Storage
- Ensure that File Explorer correctly renders URL file icons. Microsoft recommends testing the Storage Sense clean-up tool. If disk quotas are enabled, confirm that all I/O workloads function as expected.
Local and Domain Security
- Domain controllers should continue to support certificate logons after applying the updates.
- Kerberos: Microsoft recommends creating authentication scenarios for domain-joined systems, using local and encrypted login methods.
If you have the time and resources (VM’s and networking), the Readiness team strongly recommends building a test Remote Desktop environment that includes a connection broker, remote desktop gateway, and remote desktops on virtual machines. After setting up each component, verify that all RDP connections are established successfully.
This month, testing Microsoft’s ICS functionality requires an extended test plan covering the following areas:
- Usability testing: Create test scenarios to verify that the process of enabling/disabling ICS functions as expected.
- Validation: Microsoft recommends confirming that Network Address Translation (NAT) correctly translates private IP addresses to that of the shared connection.
- Security: Ensure that ICS traffic adheres to existing firewall rules and does not create unintended security risks.
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
- Browsers (Microsoft IE and Edge)
- Microsoft Windows (both desktop and server)
- Microsoft Office
- Microsoft Exchange and SQL Server
- Microsoft Developer Tools (Visual Studio and .NET)
- Adobe (if you get this far)
Browsers
Microsoft has released a larger than normal number of patches to the Edge browser platform this month with 10 patches released, all rated as important. These updates are a mix of Chromium (CVE-2025-0444, CVE-2025-0445 and CVE-2025-0451) and Edge patches that deal with memory related security vulnerabilities. All of these low-profile changes can be added to your standard release calendar.
Microsoft Windows
The following product areas have been updated with two critical rated patches and 35 remaining patches rated important for this January patch cycle:
- Win32 and Kernel Services
- Remote Desktop, RAS and Internet Connection Sharing (ICS)
- Kerberos, DHCP and Windows Networking
- Microsoft Active Directory and Windows Installer
Though the Windows NTLM patch (CVE-2025-21377) has been rated as important by Microsoft, it has been publicly disclosed. A further two updates (both rated as important) affecting storage (CVE-2025-21391) and networking (CVE-2025-21418) have been reported as exploited in the wild. These reports raise the stakes for an otherwise low-profile Windows update and so the Readiness team recommends a “Patch Now” schedule for these Windows patches..
Microsoft Office
Microsoft has released a single critical update for Microsoft Excel and a further 9 patches rated as important for Microsoft Office and the SharePoint platforms. None of these security vulnerabilities have been reported as exploited or publicly disclosed. Please add these Microsoft Office updates to your standard release calendar.
Microsoft Exchange and SQL Server
No updates for either Microsoft Exchange or SQL Server this month.
Developer Tools
This month Microsoft has released four updates to Microsoft Visual Studio, all of which are rated as important by Microsoft. One of these updates (CVE-2023-32002) may look a little odd as the date refers to 2023, not 2025. However, it appears legitimate. Though it has been categorized under Microsoft’s Visual Studio product grouping, this patch attempts to resolve a vulnerability in Node.js. Add these updates (even the funny looking ones) to your standard developer release schedule.
Adobe (and 3rd party updates)
Microsoft has not published any Adobe updates this month. However, HackerOne required a patch to the developer framework Node.js to resolve a network related vulnerability (CVE-2025-21418). Next month we may see the retirement of this Adobe related section, to be replaced with 3rd Party updates that have been published by Microsoft for Patch Tuesday.
