Microsoft Patches 'Wormable' Windows Flaw and File-Deleting Zero-Day
Microsoft’s latest Patch Tuesday rollout comes with a dire warning for Windows users: two actively exploited zero-day vulnerabilities are out in the wild, and one of them can let attackers delete critical files from targeted systems.
The company has released urgent security fixes for at least 55 documented vulnerabilities in Windows and related applications, including critical flaws in Windows Storage, WinSock, and Microsoft Excel. Among them, a remote code execution (RCE) bug in Windows Lightweight Directory Access Protocol (LDAP) is being called “wormable,” raising concerns about widespread exploitation.
Here’s what you need to know about these threats and why immediate patching is crucial.
Table of Contents
Zero-Day File Deletion Flaw (CVE-2025-21391)
One of the most alarming vulnerabilities addressed in this update is CVE-2025-21391, an elevation of privilege flaw in Windows Storage that allows attackers to delete files on a victim’s system. This can lead to major disruptions, system instability, or even service outages—a severe threat for both individual users and businesses.
Since this flaw is already being actively exploited, Windows users should apply patches immediately to avoid potential attacks.
WinSock Flaw Grants SYSTEM Privileges (CVE-2025-21418)
Another critical zero-day, CVE-2025-21418, affects the Windows Ancillary Function Driver for WinSock. If successfully exploited, it grants attackers SYSTEM-level privileges, giving them near-complete control over an affected device.
Microsoft has classified this vulnerability as a high-priority threat, urging administrators to deploy patches without delay to minimize the risk of compromise.
A ‘Wormable’ Remote Code Execution Bug (CVE-2025-21376)
One of the most concerning vulnerabilities in this update is CVE-2025-21376, a remote code execution (RCE) flaw in Windows Lightweight Directory Access Protocol (LDAP).
This bug allows an unauthenticated attacker to send specially crafted requests to a vulnerable LDAP server, leading to a buffer overflow that could be leveraged for remote code execution. Security experts warn that this vulnerability is wormable, meaning it could be used to self-propagate across networks without user interaction.
According to ZDI (Zero Day Initiative), organizations using LDAP servers should urgently test and deploy the patch to prevent potential widespread attacks.
Microsoft Excel Remote Code Execution (CVE-2025-21387)
Microsoft Excel users are also at risk due to CVE-2025-21387, a remote code execution vulnerability that can be exploited via the Preview Pane. This means that no user interaction is required—simply opening a malicious file in the Preview Pane could trigger an exploit.
To fully mitigate this threat, Microsoft has issued multiple patches that must all be installed to ensure complete protection.
Other Notable Vulnerabilities
Microsoft also addressed several other significant security flaws, including:
- CVE-2025-21194 – A feature bypass bug affecting Microsoft Surface.
- CVE-2025-21377 – A spoofing vulnerability in NTLM Hash, which could allow an attacker to steal a user’s NTLMv2 hash and authenticate as that user.
Microsoft’s Lack of IOCs Leaves Defenders in the Dark
Despite the severity of these vulnerabilities, Microsoft did not provide Indicators of Compromise (IOCs) or telemetry data to help security teams detect active exploitation. This lack of transparency makes it harder for defenders to identify whether they’ve been compromised.
What You Should Do Now
- Apply all available patches immediately. Attackers are already exploiting some of these flaws, making prompt updates essential.
- Monitor network activity for suspicious LDAP traffic. The wormable LDAP vulnerability could be used for large-scale attacks.
- Disable the Preview Pane in Microsoft Excel. This simple step can help mitigate the risk of zero-click attacks.
- Use endpoint protection and security monitoring tools to detect privilege escalation or unauthorized file deletions.
With the increasing sophistication of cyber threats, staying on top of Patch Tuesday updates is more critical than ever. Delaying these fixes could leave your system vulnerable to dangerous exploits, data loss, and potential ransomware attacks.
Microsoft users should act now—before attackers strike.