Application Management and Patching
January 2025 Patch Tuesday: Major Security Updates and Active Exploits
This month, Microsoft fixes at least 159 vulnerabilities (some counts place it as high as 161), including eight zero-day flaws—three of which are already under active attack. These updates also address 12 critical vulnerabilities, covering everything from remote code execution to privilege escalation. With such a large release, organizations should move quickly to patch systems and reduce their exposure.
Three Actively Exploited Zero-Day Vulnerabilities
Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege (CVE-2025-21333, CVE-2025-21334, CVE-2025-21335)
All three zero-days reside in Windows Hyper-V’s NT Kernel Integration VSP and have been exploited in the wild to grant attackers SYSTEM privileges on targeted systems. While Microsoft has not disclosed specific exploitation details, this trio of vulnerabilities underscores how potent privilege escalation flaws can be once an attacker has a foothold in a network.
Other Publicly Disclosed Zero-Days
Windows App Package Installer Elevation of Privilege (CVE-2025-21275)
Attackers who succeed in exploiting this can gain full SYSTEM rights. The flaw was reported anonymously and demands careful attention to patch management on endpoints where users install apps frequently.
Windows Themes Spoofing (CVE-2025-21308)
Simply viewing a crafted theme file in Windows Explorer can expose NTLM credentials and open the door for pass-the-hash attacks. Organizations that use older NTLM protocols should consider disabling NTLM or enforcing strict outbound NTLM policies.
Microsoft Access Remote Code Execution (CVE-2025-21186, CVE-2025-21366, CVE-2025-21395)
Three separate flaws discovered by an AI-assisted research platform highlight new ways attackers can trick users into running malicious files. Blocking or scanning Access file types sent via email is one recommended safeguard.
Critical Vulnerabilities
Twelve vulnerabilities are categorized as critical this month, including several remote code execution issues:
- Windows OLE Remote Code Execution (CVE-2025-21298): Rated 9.8 (out of 10) on the CVSS scale, this bug could let attackers run code by convincing a user to open a malicious document. Microsoft expects more exploitation attempts.
- Windows NTLM V1 Elevation of Privilege (CVE-2025-21311): Also rated 9.8 CVSS, this legacy authentication protocol weakness is considered highly dangerous because it’s remotely exploitable and can be repeated across multiple vulnerable systems.
- SPNEGO Extended Negotiation (NEGOEX) Security Mechanism RCE (CVE-2025-21295): Attackers could exploit Windows authentication to run malicious code. Strengthening or updating authentication measures is crucial.
Other products receiving critical patches include Microsoft Office Excel, Windows Telephony Service, and BranchCache. Some of these flaws pose RCE risks with minimal user interaction.
Recommendations
- Patch Zero-Days Immediately: Give top priority to the three actively exploited vulnerabilities in Windows Hyper-V, and address the five other zero-day issues as soon as possible.
- Review Legacy Protocols: Vulnerabilities in NTLMv1 continue to appear. It’s wise to disable or restrict older authentication mechanisms where feasible.
- Strengthen Endpoint Controls: Remote code execution flaws often rely on tricking users into opening malicious files. Automated patching, robust antivirus tools, and user awareness training all help limit these risks.
- Monitor For Unusual Activity: Keep an eye on system logs, especially in virtualized environments running Hyper-V, and confirm that any unusual privilege escalations are detected quickly.
- Update Critical Applications and Services: January’s updates span everything from Microsoft Access to Windows BitLocker, so verify your patch management process covers all affected components.
Staying Protected with Recast Software
January’s Patch Tuesday fixes a broad range of security gaps—some already being weaponized. Organizations that wait to apply patches risk leaving doors open to attackers. By acting quickly and focusing on zero-days and critical bugs, IT teams can help keep systems secure.
Tools like Application Manager and Application Workspace from Recast Software streamline patch management by automating third-party updates and simplifying Microsoft Endpoint Manager workflows. This saves time, reduces human error, and helps ensure that critical security patches are applied fast across diverse devices and platforms.
For detailed information on everything addressed this month, view Microsoft’s official security update release notes. Staying on top of these updates is a key step in minimizing your organization’s attack surface.