Microsoft’s January replace incorporates patches for a document 159 vulnerabilities, together with eight zero-day bugs, three of which attackers are already actively exploiting.
The replace is Microsoft’s largest ever and is notable additionally for together with three bugs that the corporate mentioned had been found by a synthetic intelligence (AI) platform.
Microsoft assessed 10 of the vulnerabilities disclosed this week as being of vital severity and the remaining ones as essential bugs to repair. As at all times, the patches tackle vulnerabilities in a variety of Microsoft applied sciences, together with Home windows OS, Microsoft Workplace, .NET, Azure, Kerberos, and Home windows Hyper-V. They embrace greater than 20 distant code execution (RCE) vulnerabilities, almost the identical variety of elevation-of-privilege bugs, and an assortment of different denial-of-service flaws, safety bypass points, and spoofing and data disclosure vulnerabilities.
Three Vulnerabilities to Patch Instantly
A number of safety researchers pointed to the three actively exploited bugs on this month’s replace because the vulnerabilities that want rapid consideration. The vulnerabilities, recognized as CVE-2025-21335, CVE-2025-21333, and CVE-2025-21334, are all privilege escalation points in a element of the Home windows Hyper-V’s NT Kernel. Attackers can exploit the bug comparatively simply and with minimal permissions to realize system-level privileges on affected methods.
Microsoft itself has assigned every of the three bugs a comparatively average severity rating of seven.8 out of 10 on the CVSS scale. However the truth that attackers are exploiting the bug already means organizations can not afford to delay patching it. “Do not be fooled by their comparatively low CVSS scores of seven.8,” mentioned Kev Breen, senior director risk analysis, Immersive Labs, in emailed feedback. “Hyper-V is closely embedded in fashionable Home windows 11 working methods and used for a variety of safety duties.”
Microsoft has not launched any particulars on how attackers are exploiting the vulnerabilities. However it’s doubtless that risk actors are utilizing it to escalate privileges after they’ve gained preliminary entry to a goal surroundings, in response to researchers. “With out correct safeguards, such vulnerabilities escalate to full guest-to-host takeovers, posing important safety dangers throughout your digital surroundings,” researchers at Automox wrote in a weblog publish this week.
5 Publicly Disclosed however Not But Exploited Zero-Days
The remaining 5 zero-days that Microsoft patched in its January replace are all bugs which have been beforehand disclosed however which attackers haven’t exploited but. Three of the bugs allow distant code execution and have an effect on Microsoft Entry: CVE-2025-21186 (CVSS:7.8/10), CVE-2025-21366 (CVSS: 7.8/10), and CVE-2025-21395. Microsoft credited AI-based vulnerability searching platform Unpatched.ai for locating the bugs. “Automated vulnerability detection utilizing AI has garnered numerous consideration lately, so it is noteworthy to see this service being credited with discovering bugs in Microsoft merchandise,” Satnam Narang, senior employees analysis engineer for Tenable, wrote in emailed feedback. “It might be the primary of many in 2025.”
The opposite two publicly disclosed however as but unexploited zero-days in Microsoft’s January safety replace are CVE-2025-21275 (CVSS: 7.8/10) in Home windows App Package deal Installer and CVE-2025-21308 in Home windows Themes. Each allow privilege escalation to SYSTEM and subsequently are high-priority bugs for fixing as nicely.
Different Vital Vulns
Along with the zero-days there are a number of different vulnerabilities within the newest batch that additionally advantage high-priority consideration. Close to the highest of the record are three CVEs to which Microsoft has assigned close to most CVSS scores of 9.8 out of 10: CVE-2025-21311 in Home windows NTLMv1 on a number of Home windows variations; CVE-2025-21307, an unauthenticated RCE flaw in Home windows Dependable Multicast Transport Driver; and CVE-2025-21298, an arbitrary code execution vulnerability in Home windows OLE.
In keeping with Ben Hopkins, cybersecurity engineer at Immersive Labs, Microsoft doubtless rated CVE-2025-21311 as vital due to the possibly extreme threat it presents. “What makes this vulnerability so impactful is the truth that it’s remotely exploitable, so attackers can attain the compromised machine(s) over the Web,” he wrote in emailed feedback. “The attacker doesn’t want important data or expertise to attain repeatable success with the identical payload throughout any weak element.”
CVE-2025-21307, in the meantime, is a use-after-free reminiscence corruption bug that impacts organizations utilizing the Pragmatic Common Multicast (PGM) multicast transport protocol. In such an surroundings, an unauthenticated attacker solely must ship a malicious packet to the server to set off the vulnerability, Ben McCarthy, lead cybersecurity engineer at Immersive Labs, wrote in emailed feedback. Attackers who efficiently assault the vulnerability can achieve kernel-level entry to affected methods, that means organizations utilizing the protocol want to use Microsoft’s patch for the flaw instantly, McCarthy added.
Tyler Reguly, related director of safety R&D at Fortra, described CVE-2025-21298 — the third 9.8 severity bug — as an RCE flaw that an attacker would doubtless exploit by way of e-mail slightly than over the community. “The Microsoft Outlook preview pane is a legitimate assault vector, which lends itself to calling this a distant assault. Take into account studying all emails in plaintext to keep away from vulnerabilities like this one,” he famous in emailed feedback.
Microsoft’s January 2025 replace is in stark distinction to January 2024’s replace when the corporate disclosed simply 49 CVEs. In keeping with knowledge from Automox, the corporate issued patches for 150 CVEs in April 2024, and for 142 in July.
