Elnur - stock.adobe.com
Biggest Patch Tuesday in years sees Microsoft address 159 vulnerabilities
The largest Patch Tuesday of the 2020s so far brings fixes for more than 150 CVEs ranging widely in their scope and severity – including eight zero-day flaws
Microsoft kicked off 2025 with a bang on the second Tuesday of January, dropping a massive Patch Tuesday update containing fixes for 159 vulnerabilities – rising to 161 incorporating two additional vulnerabilities through CERT CC and GitHub.
According to Dustin Childs of the Zero Day Initiative, this may be the largest number of CVEs addressed in a month since 2017 – indeed, it is more than treble the number (49) fixed this time last year – and follows another unusually heavy December update.
“[This] could be an ominous sign for patch levels in 2025,” wrote Childs in his regular round-up blog. “It will be interesting to see how this year shapes up.”
Tyler Reguly, Fortra associate director of security research and development, agreed: “This is definitely one of those months where admins need to step back, take a deep breath and determine their plan of attack.
“While a large number of these vulnerabilities will be resolved by the Windows cumulative update, there is a plethora of other software impacted including a number of Office products – Word, Excel, Access, Outlook, Visio, and SharePoint – as well as other Microsoft products like .NET, .NET Framework and Visual Studio.
“Months like these are a great [reminder] that admins need to trust their vendors and their tooling,” said Reguly. “Fixing 161 vulnerabilities cannot be a fully manual process, especially since we know that more than just Microsoft patches are dropping today. Adobe, as an example, as dropped updates for Photoshop, Substance3D Stager, Illustrator for iPad, Animate and Adobe Substance3D Designer.
“Patching vulnerabilities should not be a solo endeavour in the enterprise and, if it is, it may be time to talk to your leadership about staffing and tooling changes.”
Zero-days
Among the bumper crop of vulnerabilities are no less than eight zero-days, three that are known to have been exploited in the wild, and 11 critical flaws.
This month’s zero-days are as follows:
- CVE-2025-21333, an elevation of privilege (EoP) vuln in Windows Hyper-V NT Kernel VSP;
- CVE-2025-21334, a second EoP vulnerability in the same service;
- CVE-2025-21335, a third EoP vulnerability in the same service.
These flaws in Windows Hyper-V NT Kernel VSP are known to have been exploited in the wild, but these exploits have not yet been made public, while for the remaining five, the opposite is true. These are:
- CVE-2025-21186, a remote code execution (RCE) flaw in Microsoft Access;
- CVE-2025-21275, an EoP flaw in Windows App Package Installer;
- CVE-2025-21308, a spoofing flaw in Windows Themes;
- CVE-2025-21366, a second RCE flaw in Microsoft Access;
- CVE-2025-21395, a third RCE flaw in Microsoft Access.
Saaed Abbasi, vulnerability manager at the Qualys Threat Research Unit, said timely patching of the Hyper-V issues was critical since they are under active attack.
“They allow an authenticated user to elevate privileges to SYSTEM and let them take complete control of the affected environment,” said Abbasi.
“Usually, moving from guest to host/hypervisor indicates a CVSS [Common Vulnerability Scoring System] scope change, but Microsoft’s current disclosure has not explicitly confirmed this, suggesting further details are needed; this could jeopardise the entire host infrastructure, not just the individual VM [virtual machine].”
A threat actor able to achieve SYSTEM-level privileges is a grave concern to defenders, because it opens the door to other actions – such as disabling on-board security tooling, or credential dumping to pivot across domains within the target environment. Such techniques are frequently used by both financially motivated cyber criminal gangs and nation-state backed espionage operators.
Does you does or does you don't take Access?
Meanwhile, Adam Barnett, lead software engineer at Rapid7, ran the rule over the three similar RCE issues in Microsoft Access.
Barnett detailed how successful exploitation – should it occur – would require a user to be fooled into downloading and opening a malicious file, leading to code execution via a heap-based buffer overflow.
“Curiously, in each case, one portion of the advisory FAQ describes the update protection as ‘blocking potentially malicious extensions from being sent in an email’, but the remainder of the advisory doesn’t clarify how this would prevent malicious activity,” said Barnett.
“Typically, patches provide protection by blocking malicious files upon receipt of a malicious email attachment, rather than preventing a malicious attachment from being sent in the first place, since an attacker is free to send whatever they like from any system they control.
“At any rate, the FAQ does mention that users who would otherwise have interacted with a malicious attachment will instead receive a notification that there was an attachment but ‘it cannot be accessed’, which is perhaps the best play on words we’ve seen from MSRC in a while,” he said.
On the spoofing flaw in Windows Themes, Barnett said many admins and users may not think about this feature – which enables users to personalise their desktops with background images, screensavers and so on – very often if at all, but it was still essential to pay close attention to all aspects of the Windows estate.
“Successful exploitation leads to improper disclosure of an NTLM hash, which allows an attacker to impersonate the user from whom it was acquired,” he said.
“The advisory FAQ dances around the exploitation methodology without explaining; what we learn is that once an attacker had somehow delivered a malicious file to the target system, a user would need to manipulate the malicious file, but not necessarily click or open it.
“Without further detail, we can only speculate, but it’s plausible that simply opening a folder containing the file in Windows Explorer – including the Downloads folder – or inserting a USB drive, would be enough to trigger the vulnerability and see your NTLM hash leak silently for collection by the threat actor.”
Read more about Patch Tuesday
- December 2024: Microsoft has fixed over 70 CVEs in its final Patch Tuesday update of the year, and defenders should prioritise a zero-day in the Common Log File System Driver, and another impactful flaw in the Lightweight Directory Access Protocol.
- November 2024: High-profile vulns in NTLM, Windows Task Scheduler, Active Directory Certificate Services and Microsoft Exchange Server should be prioritised from November’s Patch Tuesday update.
- October 2024: Stand-out vulnerabilities in Microsoft’s latest Patch Tuesday drop include problems in Microsoft Management Console and the Windows MSHTML Platform.
- September 2024: Four critical remote code execution bugs in Windows and three critical elevated privileges vulnerabilities will keep admins busy.
- August 2024: Microsoft patches six actively exploited zero-days among over 100 issues during its regular monthly update.
- July 2024: Microsoft has fixed almost 140 vulnerabilities in its latest monthly update, with a Hyper-V zero-day singled out for urgent attention.
- June 2024: An RCE vulnerability in a Microsoft messaging feature and a third-party flaw in a DNS authentication protocol are the most pressing issues to address in Microsoft’s latest Patch Tuesday update.
- May 2024: A critical SharePoint vulnerability warrants attention this month, but it is another flaw that seems to be linked to the infamous Qakbot malware that is drawing attention.
- April 2024: Support for the Windows Server 2008 OS ended in 2020, but four years on and there's a live exploit of a security flaw that impacts all Windows users.
- March 2024: Two critical vulnerabilities in Windows Hyper-V stand out on an otherwise unremarkable Patch Tuesday.
- February 2024: Two security feature bypasses impacting Microsoft SmartScreen are on the February Patch Tuesday docket, among more than 70 issues.
