Microsoft’s January replace accommodates patches for a report 159 vulnerabilities, together with eight zero-day bugs, three of which attackers are already actively exploiting.
The update is Microsoft’s largest ever and is notable additionally for together with three bugs that the corporate stated have been found by a synthetic intelligence (AI) platform.
Microsoft assessed 10 of the vulnerabilities disclosed this week as being of crucial severity and the remaining ones as essential bugs to repair. As at all times, the patches tackle vulnerabilities in a variety of Microsoft applied sciences, together with Home windows OS, Microsoft Workplace, .NET, Azure, Kerberos, and Home windows Hyper-V. They embrace greater than 20 distant code execution (RCE) vulnerabilities, almost the identical variety of elevation-of-privilege bugs, and an assortment of different denial-of-service flaws, safety bypass points, and spoofing and data disclosure vulnerabilities.
Three Vulnerabilities to Patch Instantly
A number of safety researchers pointed to the three actively exploited bugs on this month’s replace because the vulnerabilities that want rapid consideration. The vulnerabilities, recognized as CVE-2025-21335, CVE-2025-21333, and CVE-2025-21334, are all privilege escalation points in a element of the Home windows Hyper-V’s NT Kernel. Attackers can exploit the bug comparatively simply and with minimal permissions to achieve system-level privileges on affected programs.
Microsoft itself has assigned every of the three bugs a comparatively reasonable severity rating of seven.8 out of 10 on the CVSS scale. However the truth that attackers are exploiting the bug already means organizations can’t afford to delay patching it. “Do not be fooled by their comparatively low CVSS scores of seven.8,” stated Kev Breen, senior director menace analysis, Immersive Labs, in emailed feedback. “Hyper-V is closely embedded in fashionable Home windows 11 working programs and used for a spread of safety duties.”
Microsoft has not launched any particulars on how attackers are exploiting the vulnerabilities. However it’s seemingly that menace actors are utilizing it to escalate privileges after they’ve gained preliminary entry to a goal atmosphere, in response to researchers. “With out correct safeguards, such vulnerabilities escalate to full guest-to-host takeovers, posing vital safety dangers throughout your digital atmosphere,” researchers at Automox wrote in a weblog put up this week.
5 Publicly Disclosed however Not But Exploited Zero-Days
The remaining 5 zero-days that Microsoft patched in its January replace are all bugs which have been beforehand disclosed however which attackers haven’t exploited but. Three of the bugs allow distant code execution and have an effect on Microsoft Entry: CVE-2025-21186 (CVSS:7.8/10), CVE-2025-21366 (CVSS: 7.8/10), and CVE-2025-21395. Microsoft credited AI-based vulnerability looking platform Unpatched.ai for locating the bugs. “Automated vulnerability detection utilizing AI has garnered loads of consideration lately, so it is noteworthy to see this service being credited with discovering bugs in Microsoft merchandise,” Satnam Narang, senior employees analysis engineer for Tenable, wrote in emailed feedback. “It might be the primary of many in 2025.”
The opposite two publicly disclosed however as but unexploited zero-days in Microsoft’s January safety replace are CVE-2025-21275 (CVSS: 7.8/10) in Home windows App Package deal Installer and CVE-2025-21308 in Home windows Themes. Each allow privilege escalation to SYSTEM and subsequently are high-priority bugs for fixing as nicely.
Different Vital Vulns
Along with the zero-days there are a number of different vulnerabilities within the newest batch that additionally benefit high-priority consideration. Close to the highest of the record are three CVEs to which Microsoft has assigned close to most CVSS scores of 9.8 out of 10: CVE-2025-21311 in Home windows NTLMv1 on a number of Home windows variations; CVE-2025-21307, an unauthenticated RCE flaw in Home windows Dependable Multicast Transport Driver; and CVE-2025-21298, an arbitrary code execution vulnerability in Home windows OLE.
In line with Ben Hopkins, cybersecurity engineer at Immersive Labs, Microsoft seemingly rated CVE-2025-21311 as crucial due to the doubtless extreme threat it presents. “What makes this vulnerability so impactful is the truth that it’s remotely exploitable, so attackers can attain the compromised machine(s) over the Web,” he wrote in emailed feedback. “The attacker doesn’t want vital data or abilities to attain repeatable success with the identical payload throughout any susceptible element.”
CVE-2025-21307, in the meantime, is a use-after-free reminiscence corruption bug that impacts organizations utilizing the Pragmatic Normal Multicast (PGM) multicast transport protocol. In such an atmosphere, an unauthenticated attacker solely must ship a malicious packet to the server to set off the vulnerability, Ben McCarthy, lead cybersecurity engineer at Immersive Labs, wrote in emailed feedback. Attackers who efficiently assault the vulnerability can achieve kernel-level entry to affected programs, which means organizations utilizing the protocol want to use Microsoft’s patch for the flaw instantly, McCarthy added.
Tyler Reguly, related director of safety R&D at Fortra, described CVE-2025-21298 — the third 9.8 severity bug — as an RCE flaw that an attacker would seemingly exploit by way of e-mail fairly than over the community. “The Microsoft Outlook preview pane is a sound assault vector, which lends itself to calling this a distant assault. Think about studying all emails in plaintext to keep away from vulnerabilities like this one,” he famous in emailed feedback.
Microsoft’s January 2025 replace is in stark distinction to January 2024’s replace when the corporate disclosed simply 49 CVEs. In line with information from Automox, the corporate issued patches for 150 CVEs in April 2024, and for 142 in July.
Source link