Microsoft’s January update contains patches for a record 159 vulnerabilities, including eight zero-day bugs, three of which attackers are already actively exploiting.
The update is Microsoft’s largest ever and is notable also for including three bugs that the company said were discovered by an artificial intelligence (AI) platform.
Microsoft assessed 10 of the vulnerabilities disclosed this week as being of critical severity and the remaining ones as important bugs to fix. As always, the patches address vulnerabilities in a wide range of Microsoft technologies, including Windows OS, Microsoft Office, .NET, Azure, Kerberos, and Windows Hyper-V. They include more than 20 remote code execution (RCE) vulnerabilities, nearly the same number of elevation-of-privilege bugs, and an assortment of other denial-of-service flaws, security bypass issues, and spoofing and information disclosure vulnerabilities.
Three Vulnerabilities to Patch Immediately
Multiple security researchers pointed to the three actively exploited bugs in this month’s update as the vulnerabilities that need immediate attention. The vulnerabilities, identified as CVE-2025-21335, CVE-2025-21333, and CVE-2025-21334, are all privilege escalation issues in a component of the Windows Hyper-V’s NT Kernel. Attackers can exploit the bug relatively easily and with minimal permissions to gain system-level privileges on affected systems.
Microsoft itself has assigned each of the three bugs a relatively moderate severity score of 7.8 out of 10 on the CVSS scale. But the fact that attackers are exploiting the bug already means organizations cannot afford to delay patching it. “Don’t be fooled by their relatively low CVSS scores of 7.8,” said Kev Breen, senior director threat research, Immersive Labs, in emailed comments. “Hyper-V is heavily embedded in modern Windows 11 operating systems and used for a range of security tasks.”
Microsoft has not released any details on how attackers are exploiting the vulnerabilities. But it is likely that threat actors are using it to escalate privileges after they have gained initial access to a target environment, according to researchers. “Without proper safeguards, such vulnerabilities escalate to full guest-to-host takeovers, posing significant security risks across your virtual environment,” researchers at Automox wrote in a blog post this week.
Five Publicly Disclosed but Not Yet Exploited Zero-Days
The remaining five zero-days that Microsoft patched in its January update are all bugs that have been previously disclosed but which attackers have not exploited yet. Three of the bugs enable remote code execution and affect Microsoft Access: CVE-2025-21186 (CVSS:7.8/10), CVE-2025-21366 (CVSS: 7.8/10), and CVE-2025-21395. Microsoft credited AI-based vulnerability hunting platform Unpatched.ai for finding the bugs. “Automated vulnerability detection using AI has garnered a lot of attention recently, so it’s noteworthy to see this service being credited with finding bugs in Microsoft products,” Satnam Narang, senior staff research engineer for Tenable, wrote in emailed comments. “It may be the first of many in 2025.”
The other two publicly disclosed but as yet unexploited zero-days in Microsoft’s January security update are CVE-2025-21275 (CVSS: 7.8/10) in Windows App Package Installer and CVE-2025-21308 in Windows Themes. Both enable privilege escalation to SYSTEM and therefore are high-priority bugs for fixing as well.
Other Critical Vulns
In addition to the zero-days there are several other vulnerabilities in the latest batch that also merit high-priority attention. Near the top of the list are three CVEs to which Microsoft has assigned near maximum CVSS scores of 9.8 out of 10: CVE-2025-21311 in Windows NTLMv1 on multiple Windows versions; CVE-2025-21307, an unauthenticated RCE flaw in Windows Reliable Multicast Transport Driver; and CVE-2025-21298, an arbitrary code execution vulnerability in Windows OLE.
According to Ben Hopkins, cybersecurity engineer at Immersive Labs, Microsoft likely rated CVE-2025-21311 as critical because of the potentially severe risk it presents. “What makes this vulnerability so impactful is the fact that it is remotely exploitable, so attackers can reach the compromised machine(s) over the Internet,” he wrote in emailed comments. “The attacker does not need significant knowledge or skills to achieve repeatable success with the same payload across any vulnerable component.”
CVE-2025-21307, meanwhile, is a use-after-free memory corruption bug that affects organizations using the Pragmatic General Multicast (PGM) multicast transport protocol. In such an environment, an unauthenticated attacker only needs to send a malicious packet to the server to trigger the vulnerability, Ben McCarthy, lead cybersecurity engineer at Immersive Labs, wrote in emailed comments. Attackers who successfully attack the vulnerability can gain kernel-level access to affected systems, meaning organizations using the protocol need to apply Microsoft’s patch for the flaw immediately, McCarthy added.
Tyler Reguly, associated director of security R&D at Fortra, described CVE-2025-21298 — the third 9.8 severity bug — as an RCE flaw that an attacker would likely exploit via email rather than over the network. “The Microsoft Outlook preview pane is a valid attack vector, which lends itself to calling this a remote attack. Consider reading all emails in plaintext to avoid vulnerabilities like this one,” he noted in emailed comments.
Microsoft’s January 2025 update is in stark contrast to January 2024’s update when the company disclosed just 49 CVEs. According to data from Automox, the company issued patches for 150 CVEs in April 2024, and for 142 in July.
Source: www.darkreading.com