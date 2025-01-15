Microsoft kicked off 2025 with a bang on the second Tuesday of January, dropping a massive Patch Tuesday update containing fixes for 159 vulnerabilities – rising to 161 incorporating two additional vulnerabilities through CERT CC and GitHub.

According to Dustin Childs of the Zero Day Initiative, this may be the largest number of CVEs addressed in a month since 2017 – indeed, it is more than treble the number (49) fixed this time last year – and follows another unusually heavy December update.

“[This] could be an ominous sign for patch levels in 2025,” wrote Childs in his regular round-up blog. “It will be interesting to see how this year shapes up.”

Tyler Reguly, Fortra associate director of security research and development, agreed: “This is definitely one of those months where admins need to step back, take a deep breath and determine their plan of attack.

“While a large number of these vulnerabilities will be resolved by the Windows cumulative update, there is a plethora of other software impacted including a number of Office products – Word, Excel, Access, Outlook, Visio, and SharePoint – as well as other Microsoft products like .NET, .NET Framework and Visual Studio.

“Months like these are a great [reminder] that admins need to trust their vendors and their tooling,” said Reguly. “Fixing 161 vulnerabilities cannot be a fully manual process, especially since we know that more than just Microsoft patches are dropping today. Adobe, as an example, as dropped updates for Photoshop, Substance3D Stager, Illustrator for iPad, Animate and Adobe Substance3D Designer.

“Patching vulnerabilities should not be a solo endeavour in the enterprise and, if it is, it may be time to talk to your leadership about staffing and tooling changes.”

Zero-days Among the bumper crop of vulnerabilities are no less than eight zero-days, three that are known to have been exploited in the wild, and 11 critical flaws. This month’s zero-days are as follows: CVE-2025-21333, an elevation of privilege (EoP) vuln in Windows Hyper-V NT Kernel VSP;

CVE-2025-21334, a second EoP vulnerability in the same service;

CVE-2025-21335, a third EoP vulnerability in the same service. These flaws in Windows Hyper-V NT Kernel VSP are known to have been exploited in the wild, but these exploits have not yet been made public, while for the remaining five, the opposite is true. These are: CVE-2025-21186, a remote code execution (RCE) flaw in Microsoft Access;

CVE-2025-21275, an EoP flaw in Windows App Package Installer;

CVE-2025-21308, a spoofing flaw in Windows Themes;

CVE-2025-21366, a second RCE flaw in Microsoft Access;

CVE-2025-21395, a third RCE flaw in Microsoft Access. Saaed Abbasi, vulnerability manager at the Qualys Threat Research Unit, said timely patching of the Hyper-V issues was critical since they are under active attack. “They allow an authenticated user to elevate privileges to SYSTEM and let them take complete control of the affected environment,” said Abbasi. “Usually, moving from guest to host/hypervisor indicates a CVSS [Common Vulnerability Scoring System] scope change, but Microsoft’s current disclosure has not explicitly confirmed this, suggesting further details are needed; this could jeopardise the entire host infrastructure, not just the individual VM [virtual machine].” A threat actor able to achieve SYSTEM-level privileges is a grave concern to defenders, because it opens the door to other actions – such as disabling on-board security tooling, or credential dumping to pivot across domains within the target environment. Such techniques are frequently used by both financially motivated cyber criminal gangs and nation-state backed espionage operators.