Best of 2025: Microsoft’s January 2025 Patch Tuesday Addresses 157 CVEs (CVE-2025-21333, CVE-2025-21334, CVE-2025-21335)
10Critical147Important0Moderate0LowMicrosoft addresses 157 CVEs in the first Patch Tuesday release of 2025 and the largest Patch Tuesday update ever with three CVEs exploited in the wild, and five CVEs publicly disclosed prior to patches being ma
Best of 2025: Microsoft’s January 2025 Patch Tuesday Addresses 157 CVEs (CVE-2025-21333, CVE-2025-21334, CVE-2025-21335)
10Critical147Important0Moderate0LowMicrosoft addresses 157 CVEs in the first Patch Tuesday release of 2025 and the largest Patch Tuesday update ever with three CVEs exploited in the wild, and five CVEs publicly disclosed prior to patches being made available.Microsoft patched 157 CVEs in its January 2025 Patch Tuesday release, with 10 rated critical and 147 rated as important. Our counts omitted two vulnerabilities, one reported by GitHub and another reported by CERT/CC. To date, the January 2025 Patch Tuesday release is the largest ever from Microsoft.This month’s update includes patches for:.NET.NET and Visual Studio.NET,.NET Framework, Visual StudioActive Directory Domain ServicesActive Directory Federation ServicesAzure Marketplace SaaS ResourcesBranchCacheIP HelperInternet ExplorerLine Printer Daemon Service (LPD)Microsoft AutoUpdate (MAU)Microsoft Azure Gateway ManagerMicrosoft Brokering File SystemMicrosoft Digest AuthenticationMicrosoft Graphics ComponentMicrosoft OfficeMicrosoft Office AccessMicrosoft Office ExcelMicrosoft Office OneNoteMicrosoft Office OutlookMicrosoft Office Outlook for MacMicrosoft Office SharePointMicrosoft Office VisioMicrosoft Office WordMicrosoft PurviewMicrosoft Windows Search ComponentPower AutomateReliable Multicast Transport Driver (RMCAST)Visual StudioWindows BitLockerWindows Boot LoaderWindows Boot ManagerWindows COMWindows Client-Side Caching (CSC) ServiceWindows Cloud Files Mini Filter DriverWindows Connected Devices Platform ServiceWindows Cryptographic ServicesWindows DWM Core LibraryWindows Digital MediaWindows Direct ShowWindows Event TracingWindows Geolocation ServiceWindows HelloWindows Hyper-V NT Kernel Integration VSPWindows InstallerWindows KerberosWindows Kernel MemoryWindows MapUrlToZoneWindows Mark of the Web (MOTW)Windows Message QueuingWindows NTLMWindows OLEWindows PrintWorkflowUserSvcWindows Recovery Environment AgentWindows Remote Desktop ServicesWindows SPNEGO Extended NegotiationWindows Security Account ManagerWindows Smart CardWindows SmartScreenWindows Telephony ServiceWindows ThemesWindows UPnP Device HostWindows Virtual Trusted Platform ModuleWindows Virtualization-Based Security (VBS) EnclaveWindows WLAN Auto Config ServiceWindows Web Threat Defense User ServiceWindows Win32K – GRFXRemote code execution (RCE) vulnerabilities accounted for 36.9% of the vulnerabilities patched this month, followed by elevation of privilege (EoP) vulnerabilities at 25.5%.CVE-2025-21333, CVE-2025-21334, CVE-2025-21335 | Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege VulnerabilitiesCVE-2025-21333, CVE-2025-21334 and CVE-2025-21335 are EoP vulnerabilities in the Windows Hyper-V NT Kernel Integration Virtualization Service Provider (VSP). All three vulnerabilities were assigned a CVSSv3 score of 7.8 and rated important. An authenticated, local attacker could exploit this vulnerability to elevate privileges to SYSTEM. Two of the three vulnerabilities were unattributed, with CVE-2025-21333 being attributed to an Anonymous researcher.According to Microsoft all three vulnerabilities were exploited in the wild as zero-days. No specific details about the in-the-wild exploitation were public at the time this blog post was released.CVE-2025-21186, CVE-2025-21366, CVE-2025-21395 | Microsoft Access Remote Code Execution VulnerabilityCVE-2025-21186, CVE-2025-21366 and CVE-2025-21395 are RCE vulnerabilities in Microsoft Access, a database management system. All three vulnerabilities were assigned a CVSSv3 score of 7.8 and rated important. A remote, unauthenticated attacker could exploit this vulnerability by convincing a target through social engineering to download and open a malicious file. Successful exploitation would grant an attacker arbitrary code execution privileges on the vulnerable system. This update “blocks potentially malicious extensions from being sent in an email.”According to Microsoft, these three vulnerabilities were publicly disclosed prior to a patch being available (zero-days). They are attributed to Unpatched.ai, which uses artificial intelligence (AI) to “help find and analyze” vulnerabilities.CVE-2025-21308 | Windows Themes Spoofing VulnerabilityCVE-2025-21308 is a spoofing vulnerability affecting Windows Themes. This vulnerability received a CVSSv3 score of 6.5 and was publicly disclosed prior to a patch being made available. According to Microsoft, successful exploitation requires an attacker to convince a user to load a malicious file, then convince the user to “manipulate the specially crafted file.” Microsoft has provided a list of mitigations including disabling New Technology LAN Manager (NTLM) or using group policy to block NTLM hashes. For more information on the mitigation guidance, please refer to the Microsoft advisory.CVE-2025-21275 | Windows App Package Installer Elevation of Privilege VulnerabilityCVE-2025-21275 is an EoP vulnerability in the Microsoft Windows App Package Installer. It was assigned a CVSSv3 score of 7.8 and is rated important. A local, authenticated attacker could exploit this vulnerability to obtain SYSTEM privileges. These types of flaws are often associated with post-compromise activity, after an attacker has breached a system through other means.According to Microsoft, this vulnerability was publicly disclosed prior to a patch being available. It is attributed to an Anonymous researcher.CVE-2025-21297, CVE-2025-21309 | Windows Remote Desktop Services Remote Code Execution VulnerabilityCVE-2025-21297 and CVE-2025-21309 are critical RCE vulnerabilities affecting Windows Remote Desktop Services. Both of these vulnerabilities were assigned CVSSv3 scores of 8.1, however CVE-2025-21309 was assessed as “Exploitation More Likely” according to Microsoft’s Exploitability Index, while CVE-2025-21297 was assessed as “Exploitation Less Likely.”According to Microsoft, successful exploitation of these flaws requires an attacker to connect to a system with the Remote Desktop Gateway role and trigger a race-condition that creates a use-after-free scenario which can be leveraged to execute arbitrary code.CVE-2025-21298 | Windows OLE Remote Code Execution VulnerabilityCVE-2025-21298 is a RCE vulnerability in Microsoft Windows Object Linking and Embedding (OLE). It was assigned a CVSSv3 score of 9.8 and is rated critical. It has been assessed as “Exploitation More Likely.” An attacker could exploit this vulnerability by sending a specially crafted email to a target. Successful exploitation would lead to remote code execution on the target system if the target opens this email using a vulnerable version of Microsoft Outlook or if their software is able to preview the email through a preview pane.Microsoft’s advisory for this vulnerability recommends configuring Microsoft Outlook to read email messages “in plain text format” instead of a rich format that will display other types of content, such as photos, animations or specialized fonts. To configure Outlook in this way, please refer to the following article, Read email messages in plain text.Tenable SolutionsA list of all the plugins released for Microsoft’s January 2025 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.Get more informationJoin on the Tenable Community.Learn more about , the Exposure Management Platform for the modern attack surface.
About Author
