The January 2025 Patch Tuesday report has been released, marking Microsoft's first security update release of the new year. This significant monthly event plays a crucial role in maintaining the security and stability of Windows operating systems and various other Microsoft software products that organizations and individuals rely on daily. In this article, we'll break down the key highlights of the January 2025 Patch Tuesday report, focusing on the most pressing concerns for users and administrators.

Notably, Microsoft has released fixes for 159 vulnerabilities in January 2025 Patch Tuesday report, out of which 12 were rated Critical. Microsoft also warned about the active exploitation of three zero-day vulnerabilities, while five others were publicly disclosed prior to patches being available. As with previous Patch Tuesday reports, Remote Code Execution (RCE) vulnerabilities topped the list with 58 occurrences.

The affected products span across Microsoft's ecosystem, including Windows, Office, Exchange Server, Azure, Dynamics, and other products. The three actively exploited zero-days involve Windows Hyper-V NT Kernel Integration VSP elevation of privilege vulnerabilities (CVE-2025-21333, CVE-2025-21334, and CVE-2025-21335). Additionally, three Microsoft Access Remote Code Execution vulnerabilities (CVE-2025-21186, CVE-2025-21366, and CVE-2025-21395) were publicly disclosed before patches were available.

Let's break down what is included in the January patches that Microsoft released on January 14th, 2025.

Key Highlights - Patch Tuesday January 2025

In January's Patch Tuesday, Microsoft addressed 159 vulnerabilities, including eight zero-day vulnerabilities with three being actively exploited in the wild. The update included patches across categories like elevation of privilege, remote code execution, information disclosure, spoofing, denial of service, and security feature bypass vulnerabilities across a wide range of Microsoft products.

Key affected products include Windows, Office, Access, Excel, Outlook, SharePoint, Azure, Dynamics, and other Microsoft services. Administrators and end users are advised to apply these security updates promptly to ensure systems are protected against these vulnerabilities.

Key Highlights are:

2. Critical Flaws: Twelve vulnerabilities were rated as Critical, including:

3. Vulnerability Types: The vulnerabilities are categorized as follows:

4. Public Disclosures: Five zero-days were publicly disclosed before patches were available:

5. Notable Issues: Other significant vulnerabilities patched include:

This January Patch Tuesday represents the largest security update from Microsoft to date, highlighting the importance of timely patch deployment to protect against emerging threats.

Zero-day Vulnerabilities Patched in January 2025

Microsoft addressed eight zero-day vulnerabilities in the January 2025 Patch Tuesday release. Three of these vulnerabilities were being actively exploited in the wild prior to the patches being made available. Let's examine each of these critical vulnerabilities:

CVE-2025-21333, CVE-2025-21334, & CVE-2025-21335: Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerabilities

These three related elevation of privilege vulnerabilities affect the Windows Hyper-V NT Kernel Integration VSP (Virtualization Service Provider). All three vulnerabilities have been actively exploited in the wild and are rated Important with a CVSS score of 7.8.

An authenticated attacker with local access could exploit these vulnerabilities to gain SYSTEM privileges. The vulnerability in CVE-2025-21333 was reported by an Anonymous researcher, while the other two were unattributed.

CVE-2025-21366, CVE-2025-21395, & CVE-2025-21186: Microsoft Access Remote Code Execution Vulnerabilities

These three publicly disclosed vulnerabilities affect Microsoft Access and could allow remote code execution through specially crafted files. Each vulnerability is rated Important with a CVSS score of 7.8.

To exploit these vulnerabilities, an attacker would need to convince a user to download and open a malicious file. Microsoft has addressed these vulnerabilities by blocking access to potentially malicious extensions from being sent in emails. The affected file extensions include:

All three vulnerabilities were discovered by Unpatched.ai, an AI-assisted vulnerability discovery platform.

CVE-2025-21275: Windows App Package Installer Elevation of Privilege Vulnerability

This publicly disclosed vulnerability in the Windows App Package Installer could allow an attacker to gain SYSTEM privileges. The vulnerability is rated Important with a CVSS score of 7.8.

The vulnerability, reported by an Anonymous researcher, requires local access and user authentication for successful exploitation. No active exploitation has been observed in the wild.

CVE-2025-21308: Windows Themes Spoofing Vulnerability

This publicly disclosed vulnerability affects Windows Themes and could allow an attacker to conduct spoofing attacks. The vulnerability is rated Important with a CVSS score of 6.5.

Successful exploitation requires convincing a user to load a malicious file onto a vulnerable system and manipulate it, though clicking or opening the file is not necessary. The vulnerability can lead to disclosure of NTLM hashes, which could be used in pass-the-hash attacks.

Microsoft has provided mitigation guidance including:

The vulnerability was discovered by Blaz Satler with 0patch by ACROS Security.

Critical Vulnerabilities Patched in January 2025

Microsoft addressed twelve critical vulnerabilities in the January 2025 Patch Tuesday release. Let's examine the most significant critical vulnerabilities:

CVE-2025-21298 - Windows OLE Remote Code Execution Vulnerability

This critical vulnerability in Windows Object Linking and Embedding (OLE) has received a CVSS score of 9.8. The vulnerability enables remote code execution without requiring elevated privileges.

An attacker could exploit this vulnerability in an email attack scenario by sending a specially crafted email to the victim. The victim only needs to open or preview the email with an affected version of Microsoft Outlook for successful exploitation. Upon successful exploitation, an attacker can achieve remote code execution on the victim's machine.

CVE-2025-21307 - Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability

This critical remote code execution vulnerability in the Windows RMCAST driver received a CVSS score of 9.8. An unauthenticated attacker could exploit the vulnerability by sending specially crafted packets to a Windows Pragmatic General Multicast (PGM) open socket on the server without any user interaction.

CVE-2025-21297 & CVE-2025-21309 - Windows Remote Desktop Services Remote Code Execution Vulnerabilities

These two critical vulnerabilities in Windows Remote Desktop Services each received a CVSS score of 8.1. Successful exploitation requires an attacker to connect to a system with the Remote Desktop Gateway role and trigger a race condition to create a use-after-free scenario, leading to arbitrary code execution.

CVE-2025-21294 - Microsoft Digest Authentication Remote Code Execution Vulnerability

A critical remote code execution vulnerability in Microsoft Digest Authentication that could allow an attacker to execute arbitrary code by exploiting a race condition. An attacker could trigger this by connecting to a system that requires digest authentication.

CVE-2025-21295 - SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Remote Code Execution Vulnerability

This critical vulnerability in the SPNEGO Extended Negotiation security mechanism could enable remote code execution without user interaction. An attacker must manipulate system operations in a specific manner to achieve successful exploitation.

CVE-2025-21311 - Windows NTLM V1 Elevation of Privilege Vulnerability

A critical elevation of privilege vulnerability in Windows NTLM V1 authentication protocol that could allow an attacker to escalate privileges. This vulnerability poses significant risks for systems still using NTLMv1 authentication.

CVE-2025-21354 & CVE-2025-21362 - Microsoft Excel Remote Code Execution Vulnerabilities

Two critical remote code execution vulnerabilities in Microsoft Excel that could allow attackers to achieve remote code execution on vulnerable targets. These vulnerabilities require user interaction to open a specially crafted file.

Here's a summary table of the critical vulnerabilities:

These critical vulnerabilities require immediate attention and patching to prevent potential exploitation in enterprise environments.

Vulnerabilities by Category

In total, 159 vulnerabilities were addressed in January's Patch Tuesday. Remote Code Execution vulnerabilities lead the count with 58 patches, followed by Elevation of Privilege bugs at 40 instances. Information Disclosure ranked third with 24 vulnerabilities patched this month. Here is the breakdown of the categories patched this month:

Here is a table with the vulnerability categories and associated CVE IDs from Microsoft's January 2025 Patch Tuesday:

This breakdown shows the continued prevalence of remote code execution vulnerabilities in Microsoft products, highlighting the importance of timely patch deployment to protect against potential attacks.

List of Products Patched in January 2025 Patch Tuesday Report

Microsoft's January 2025 Patch Tuesday includes updates for a broad range of its products, applications, and services. Here are the key products and components that received patches:

This table represents the major products and components that received security updates in January's Patch Tuesday release. Windows Telephony Service received the highest number of patches this month, followed by Microsoft Office and Windows core components.

Summary tables

Azure vulnerabilities

Developer Tools vulnerabilities

ESU Windows vulnerabilities

ESU Windows Microsoft Office vulnerabilities

Microsoft Dynamics vulnerabilities

Microsoft Office vulnerabilities

Windows vulnerabilities

Bottom Line

Microsoft's January 2025 Patch Tuesday kicks off the year with fixes for 159 vulnerabilities, including eight zero-days with three actively exploited in the wild, across Windows, Office, Exchange Server, Azure, and other products.

This release stands as the largest Patch Tuesday update to date, with 58 remote code execution and 40 elevations of privilege vulnerabilities forming the majority of the patches. The eight zero-days, including three actively exploited Windows Hyper-V NT Kernel Integration VSP vulnerabilities, emphasize the importance of prompt patching.

Among the critical vulnerabilities, several demand immediate attention:

The extensive patch load underscores the importance of continuous monitoring, vulnerability management, and systematic updating to counter sophisticated multi-stage attacks targeting enterprise networks. Organizations should prioritize remediation efforts by potential business impact and exposure risk.

We aim to keep readers informed each month in our Patch Tuesday reports. Please follow our website thesecmaster.com or subscribe to our social media pages on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram to receive similar updates.

You may also like these articles: