159-CVE January Patch Tuesday smashes single-month report – Sophos Information

Microsoft on Tuesday launched 159 patches touching 13 product households. 9 of the addressed points are thought-about by Microsoft to be of Important severity, and 43 have a CVSS base rating of 8.0 or increased. Three are below lively exploit within the wild. One can finest be mitigated by “configur[ing] Microsoft Outlook to learn all commonplace mail in plain textual content.”

The unprecedented patch haul falls primarily to Home windows, with 132 patches relevant to the working system. (132 patches would itself high quality because the third-largest launch since 2020.) Inside that group, numerous themes emerge – 28 remote-code-execution patches affecting Home windows Telephony Companies, as an illustration, or the 17 elevation-of-privilege points addressed in Home windows Digital Media. Eight of the Home windows patches are critical-severity, together with the OLE-involved Outlook bug famous above. (We’ll look extra carefully at that scenario in a minute.)

At patch time, three important-severity EoP points, all titled “Home windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability,” are recognized to be below exploit within the wild, with 17 further CVEs extra prone to be exploited within the subsequent 30 days by the corporate’s estimation. Two of this month’s points are amenable to detection by Sophos protections, and we embody data on these in a desk under.

Along with these patches, the discharge consists of advisory data on Servicing Stack Updates, in addition to data on the month’s single Edge patch (there’s additionally an Web Explorer patch, as we’ll talk about under) and two points coated within the launch however already mitigated by Microsoft. We’re as at all times together with on the finish of this publish further appendices itemizing all Microsoft’s patches, sorted by severity, by predicted exploitability, and by product household; an appendix protecting the advisory-style updates; and a breakout of the 130 patches affecting the assorted Home windows Server platforms nonetheless in assist.

• Complete CVEs: 159
• Publicly disclosed: 3
• Exploit detected: 3
• Severity
  • Important: 9
  • Necessary: 150
• Impression
  • Distant Code Execution: 58
  • Elevation of Privilege: 40
  • Data Disclosure: 22
  • Denial of Service: 20
  • Safety Characteristic Bypass: 14
  • Spoofing: 5
• CVSS base rating 9.0 or higher: 3
• CVSS base rating 8.0 or higher: 40

Determine 1: Although RCE continues to rule the roost, a wide range of impacts are represented within the first patch haul of the 12 months

Merchandise

• Home windows: 132
• 365: 13
• Workplace: 13
• Visible Studio: 7
• .NET: 4
• Entry: 3
• SharePoint: 3
• Workplace for Mac: 2
• AutoUpdate for Mac: 1
• Excel: 1
• Outlook: 1
• On-Premises Knowledge Gateway: 1
• Energy Automate: 1

As is our customized for this record, CVEs that apply to a couple of product household are counted as soon as for every household they have an effect on.

Determine 2: All however two of January’s Home windows patches apply to the server-side OS. As for the remaining, Workplace for Mac will get a single patch all to iteself and shares one with different variations of Workplace

Notable January updates

Along with the problems mentioned above, numerous particular gadgets benefit consideration.

CVE-2025-21298 — Home windows OLE Distant Code Execution Vulnerability

With a CVSS base rating of 9.8, this critical-severity situation is already attention-getting, but it surely’s much more thrilling than that. That is an RTF (Wealthy Textual content Format) situation, so although it should be corrected in Home windows it applies to varied merchandise, particularly e-mail. For the reason that flaw will be triggered in Preview Pane, an attacker deploying this vulnerability must do nothing greater than ship a malicious e-mail to the goal; even when the consumer doesn’t click on on something, merely viewing it’s adequate to set off RCE. Fortuitously it’s not but believed to be below lively exploit within the wild – the finders labored with The Zero-Day Initiative to convey it to Microsoft’s consideration – but it surely’s affordable to imagine the clock is ticking. As famous above, the corporate does certainly advocate that customers follow studying their e-mail in plaintext, and provides the directions for configuring particular person machines to take action in Outlook. Customers of different e-mail applications will want to take word and act accordingly.

CVE-2025-21311 — Home windows NTLM V1 Elevation of Privilege Vulnerability

One other 9.8 on CVSS’s scale, this one applies to Microsoft’s most up-to-date choices (Home windows 11 24H2, Server 2022 23H2, Server 2025) and is comparatively straightforward to mitigate by setting LmCompatibilityLevel to its most worth of 5, thus disallowing utilization of the MTLMv1 protocol. That’s good, as a result of the vulnerability is remotely exploitable, requires no explicit information of the goal system, and has a excessive success price.

CVE-2025-21366, CVE-2025-21395, CVE-2025-21186 – all Microsoft Entry Distant Code Execution Vulnerability

Persevering with this month’s theme of “adjustments to e-mail performance that’ll make finish customers cranky,” the patches for these CVEs all block seven doubtlessly malicious extensions (.accda, .accdb, .accde,  .accdr, accdt, .accdu, .accdw) from being despatched by way of e-mail. Microsoft states that the recipient will get a notification that there was an attachment however that it can’t be accessed. All three points are RCE aimed toward RDP, and all three are already publicly recognized.

CVE-2025-21280, CVE-2025-21284, CVE-2025-21299, CVE-2025-21321, CVE-2025-21331, CVE-2025-21336, CVE-2025-21340, CVE-2025-21370 – numerous titles

Eight of this month’s patches contain Digital Safe Mode parts, which signifies that directors have to comply with Microsoft’s steerage for updating virtualization-based safety (VBS) points.

CVE-2025-21343 — Home windows Net Risk Protection Person Service Data Disclosure Vulnerability

An Necessary-severity information-disclosure situation, this oddity can, if exploited, permit the attacker to seize screenshots of one other consumer’s session. It’s likewise relatively particular in scope, affecting solely Home windows 11 22H2, 23H2, and 24H2. It was submitted to Microsoft by an unusual finder, the Australian Indicators Directorate.

CVE-2025-21326 — Web Explorer Distant Code Execution Vulnerability

Looks as if outdated instances with a reputation like that, however this important-severity RCE impacts not the browser of yore however Home windows Server 2022 23H2 and Home windows Server 2025.

Determine 3: This spike on the proper edge? There we’re

Sophos protections

As you’ll be able to each month, if you happen to don’t wish to wait in your system to tug down Microsoft’s updates itself, you’ll be able to obtain them manually from the Home windows Replace Catalog web site. Run the winver.exe software to find out which construct of Home windows 10 or 11 you’re working, then obtain the Cumulative Replace package deal in your particular system’s structure and construct quantity.

Appendix A: Vulnerability Impression and Severity

This can be a record of January patches sorted by influence, then sub-sorted by severity. Every record is additional organized by CVE.

Distant Code Execution (58 CVEs)

Elevation of Privilege (40 CVEs)

Data Disclosure (22 CVEs)

Denial of Service (20 CVEs)

Safety Characteristic Bypass (14 CVEs)

Spoofing (5 CVEs)

Appendix B: Exploitability

This can be a record of the January CVEs judged by Microsoft to be both below exploitation within the wild or extra prone to be exploited within the wild throughout the first 30 days post-release. The record is organized by CVE.

Appendix C: Merchandise Affected

This can be a record of January’s patches sorted by product household, then sub-sorted by severity. Every record is additional organized by CVE. Patches which are shared amongst a number of product households are listed a number of instances, as soon as for every product household. Points affecting Home windows Server are additional sorted in Appendix E. Please word that Workplace for Mac has a standalone entry for CVE-2025-21361, which impacts solely that platform.

Home windows (132 CVEs)

365 (13 CVEs)

Workplace (13 CVEs)

Visible Studio (7 CVEs)

.NET (4 CVEs)

Entry (3 CVEs)

SharePoint (3 CVEs)

Workplace for Mac (2 CVEs)

AutoUpdate for Mac (1 CVE)

Excel (1 CVE)

Outlook (1 CVE)

On-Premises Knowledge Gateway (1 CVE)

Energy Automate (1 CVE)

Appendix D: Advisories and Different Merchandise

This can be a record of advisories and knowledge on different related CVEs within the January launch. The problems addressed within the three CVEs have already been mitigated by Microsoft, however had been listed within the launch within the pursuits of transparency.

Microsoft data:

There are not any Adobe advisories on this month’s launch.

Appendix E: Affected Home windows Server variations

This can be a desk of CVEs within the January launch affecting 9 Home windows Server variations, 2008 by 2025. The desk differentiates amongst main variations of the platform however doesn’t go into deeper element (eg., Server Core). Important-severity points are marked in purple; an “x” signifies that the CVE doesn’t apply to that model. Directors are inspired to make use of this appendix as a place to begin to determine their particular publicity, as every reader’s scenario, particularly because it considerations merchandise out of mainstream assist, will fluctuate. For particular Data Base numbers, please seek the advice of Microsoft.