Microsoft recently released its January 2025 Patch Tuesday cumulative update, which included security updates for 159 flaws across Windows OS, Microsoft Office, .NET, Azure, Kerberos, and Windows Hyper-V.
These included eight zero-day vulnerabilities, of which three are under active exploitation and five are publicly known flaws.
โOf the patches released today, 11 are rated Critical, and the other 148 are rated Important in severity. This is the largest number of CVEs addressed in any single month since at least 2017 and is more than double the usual amount of CVEs fixed in January,โ Trend Microโs Zero Day Initiative (ZDI) program researchers wrote inย an analysis.
The three zero-day vulnerabilities under active exploitation in the wild are tracked as CVE-2025-21333, CVE-2025-21334, and CVE-2025-21335.
These are elevation of privilege (EoP) vulnerabilities in the Windows Hyper-V NT Kernel Integration Virtualization Service Provider (VSP), with a CVSS score of 7.8 (important).
According to Microsoft, successfully exploiting the vulnerability could allow an authenticated user to execute code with SYSTEM privileges.
As usual, the Redmond giant has provided no information about how these flaws are being exploited, the attackers involved, or the scale of the attacks.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA)ย has addedย these flaws to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to implement fixes by February 4, 2025.
Further, letโs have a look at the fiveย publicly disclosed zero-days that were not exploited by the attackers and have been patched in the January 2025 Patch Tuesday cumulative update:
CVE-2025-21186,ย CVE-2025-21366, andย CVE-2025-21395: These three vulnerabilities, each rated 7.8 on the CVSS scale (important), are Remote Code Execution (RCE) flaws in Microsoft Access that are triggered when opening maliciously crafted Access documents.
The company has addressed these vulnerabilities by blocking access to the following extensions:
- accdb
- accde
- accdw
- accdt
- accda
- accdr
- accdu
Microsoft creditedย Unpatched.ai, an AI-assisted vulnerability hunting platform, for finding all three Microsoft Access issues.
The other two publicly disclosed and unexploited zero-days areย CVE-2025-21275ย (CVSS: 7.8) in Windows App Package Installerย andย CVE-2025-21308 (CVSS: 6.5)ย in Windows Themes that were fixed in January 2025 Patch Tuesday.
In the case of the CVE-2025-21275 flaw, it could enable an attacker to gain SYSTEM privileges if successfully exploited. On the other hand, the CVE-2025-21308 vulnerability can be exploited by simply previewing a malicious Theme file in Windows Explorer.
“An attacker would have to convince the user to load a malicious file onto a vulnerable system, typically by way of an enticement in an Email or Instant Messenger message, and then convince the user to manipulate the specially crafted file, but not necessarily click or open the malicious file.,” explains Microsoft’s advisory about CVE-2025-21308.
In addition to the above eight zero-day vulnerabilities, the company also fixed the below critical flaws:
- CVE-2025-21178 (CVSS score: 8.8) – Visual Studio Remote Code Execution Vulnerability
- CVE-2025-21294 (CVSS score: 8.1) – Microsoft Digest Authentication Remote Code Execution Vulnerability
- CVE-2025-21295 (CVSS score: 8.1) – SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Remote Code Execution Vulnerability
- CVE-2025-21296 (CVSS score: 7.5) – BranchCache Remote Code Execution Vulnerability
- CVE-2025-21297 (CVSS score: 8.1) – Windows Remote Desktop Services Remote Code Execution Vulnerability
- CVE-2025-21298 (CVSS score: 9.8) – Windows Object Linking and Embedding (OLE) Remote Code Execution Vulnerability
- CVE-2025-21307 (CVSS score: 9.8) – Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability
- CVE-2025-21309 (CVSS score: 8.1) – Windows Remote Desktop Services Remote Code Execution Vulnerability
- CVE-2025-21311 (CVSS score: 9.8) – Windows NTLM V1 Elevation of Privilege Vulnerability
- CVE-2025-21380 (CVSS score: 8.8) – Azure Marketplace SaaS Resources Information Disclosure Vulnerability
- CVE-2025-21385 (CVSS score: 8.8) – Microsoft Purview Information Disclosure Vulnerability
For detailed information about the 159 vulnerabilities, you can clickย here.
It is recommended that the latest security updates be applied to ensure protection against these vulnerabilities.