Microsoft's January 2025 Patch Tuesday Fixes 8 Zero-Days and 159 Vulnerabilities

The update addresses actively exploited privilege-escalation flaws in Hyper-V and critical remote code execution issues across Windows and Office applications.

• Microsoft's January 2025 security update resolves 159 vulnerabilities, including eight zero-day flaws, with three already exploited in the wild.
• Three critical privilege-escalation vulnerabilities in Hyper-V (CVE-2025-21333, CVE-2025-21334, CVE-2025-21335) allow attackers to gain SYSTEM privileges but are not guest escapes.
• Critical remote code execution flaws include a Windows OLE vulnerability (CVE-2025-21298) triggered by opening malicious emails and a PGM networking issue (CVE-2025-21307) exploitable via crafted packets.
• Microsoft also fixed vulnerabilities in Excel, Remote Desktop Services, and NTLMv1 authentication, recommending mitigation strategies alongside patches.
• Other vendors, including Adobe, Cisco, and SAP, released updates addressing critical vulnerabilities in their products as part of broader January security efforts.

3 Articles

Forbes The Register BleepingComputer