Microsoft releases January 2025 patch, fixes 8 zero-days, 12 critical and a total of 159 flaws

Microsoft has released its first Patch Tuesday of 2025, addressing 159 security vulnerabilities across various products including Windows, .NET, Visual Studio, Microsoft Excel, and Azure services. Among these, eight are zero days exploited and at least three actively exploited and twelve vulnerabilities are classified as "Critical".

The vulnerabilities addressed in this update include:

• 58 Remote Code Execution Vulnerabilities
• 40 Elevation of Privilege Vulnerabilities
• 24 Information Disclosure Vulnerabilities
• 20 Denial of Service Vulnerabilities
• 14 Security Feature Bypass Vulnerabilities
• 5 Spoofing Vulnerabilities

The actively exploited and zero day flaws:

• CVE-2025-21333, CVE-2025-21334, CVE-2025-21335 (all CVSS score 7.8)- A series of elevation of privilege vulnerabilities in Windows Hyper-V that are being used in post-compromise activities to gain SYSTEM privileges.
• CVE-2025-21275 (CVSS score 7.8) (Windows App Package Installer) - An elevation of privilege vulnerability that enables attackers to gain SYSTEM-level privileges once successfully exploited. This vulnerability was reported anonymously to Microsoft.
• CVE-2025-21308 (CVSS score 6.5) (Windows Themes) - A spoofing vulnerability that bypasses a previous vulnerability (CVE-2024-38030) and can be exploited when a specially crafted Theme file is displayed in Windows Explorer. When a Theme file with specific BrandImage and Wallpaper network path settings is viewed, Windows automatically transmits the logged-in user's NTLM credentials to a remote host. These credentials could then be cracked or used in pass-the-hash attacks. Microsoft has provided mitigation through either disabling NTLM or enabling the "Restrict NTLM: Outgoing NTLM traffic to remote servers" policy.
• CVE-2025-21186, CVE-2025-21366, CVE-2025-21395 (all CVSS score 7.8) (Microsoft Access) - Three remote code execution vulnerabilities discovered by Unpatched.ai, an AI-assisted vulnerability discovery platform. These flaws can be exploited when opening specially crafted Microsoft Access documents. As a mitigation measure, Microsoft has implemented blocking of specific Microsoft Access file types when received via email, including:
  • accdb
  • accde
  • accdw
  • accdt
  • accda
  • accdr
  • accdu

Critical vulnerabilities include:

• CVE-2025-21298 (CVSS score 9.8) - remote Code Execution vulnerability in Windows Object Linking and Embedding (OLE) that could be exploited through specially crafted emails in Microsoft Outlook, even without user interaction beyond preview.
• CVE-2025-21307 (CVSS score 9.8) - remote Code Execution vulnerability in Windows Reliable Multicast Transport Driver (RMCAST) that affects network data transmission. Exploitation requires an application actively listening on a PGM port.
• CVE-2025-21311 (CVSS score 9.8) - privilege escalation vulnerability in Windows NT LAN Manager (NTLM) that can be exploited remotely with minimal technical expertise.
• CVE-2025-21380  (CVSS score 8.8) - Azure Marketplace SaaS Resources Information Disclosure Vulnerability
• CVE-2025-21296  (CVSS score 7.5) - BranchCache Remote Code Execution Vulnerability
• CVE-2025-21294 (CVSS score 8.1) - Microsoft Digest Authentication Remote Code Execution Vulnerability
• CVE-2025-21362  (CVSS score 8.4) - Microsoft Excel Remote Code Execution Vulnerability
• CVE-2025-21354  (CVSS score 8.4) - Microsoft Excel Remote Code Execution Vulnerability
• CVE-2025-21385  (CVSS score 8.8) - Microsoft Purview Information Disclosure Vulnerabilit
• CVE-2025-21309  (CVSS score 8.1) - Windows Remote Desktop Services Remote Code Execution Vulnerability
• CVE-2025-21297 (CVSS score 8.1) - Windows Remote Desktop Services Remote Code Execution Vulnerability - As of 15th of May 2025, there is a published PoC of this exploit.
• CVE-2025-21295 (CVSS score 8.1) - SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Remote Code Execution Vulnerability

The Microsoft Excel criticlal flaws are marked as "more likely" to be exploited. These vulnerabilities can be triggered even through preview functionality, making them particularly dangerous for organizations.

Microsoft has recommended mitigation strategies, including setting the LAN Manager's LmCompatabilityLvl to its maximum value (5) to prevent the usage of the older NTLMv1 protocol while still allowing NTLMv2.

Full list of patched vulnrabilities