Biggest Patch Tuesday in years sees Microsoft address 159 vulnerabilities

Biggest Patch Tuesday in years sees Microsoft address 159 vulnerabilities

Microsoft kicked off 2025 with a bang on the second Tuesday of January, dropping a massive Patch Tuesday update containing fixes for 159 vulnerabilities – rising to 161 incorporating two additional vulnerabilities through CERT CC and GitHub.

According to Dustin Childs of the Zero Day Initiative, this may be the largest number of CVEs addressed in a month since 2017 – indeed, it is more than treble the number (49) fixed this time last year – and follows another unusually heavy December update.

“[This] could be an ominous sign for patch levels in 2025,” wrote Childs in his regular round-up blog. “It will be interesting to see how this year shapes up.”

Tyler Reguly, Fortra associate director of security research and development, agreed: “This is definitely one of those months where admins need to step back, take a deep breath and determine their plan of attack.

“While a large number of these vulnerabilities will be resolved by the Windows cumulative update, there is a plethora of other software impacted including a number of Office products – Word, Excel, Access, Outlook, Visio, and SharePoint – as well as other Microsoft products like .NET, .NET Framework and Visual Studio.

“Months like these are a great [reminder] that admins need to trust their vendors and their tooling,” said Reguly. “Fixing 161 vulnerabilities cannot be a fully manual process, especially since we know that more than just Microsoft patches are dropping today. Adobe, as an example, as dropped updates for Photoshop, Substance3D Stager, Illustrator for iPad, Animate and Adobe Substance3D Designer.

“Patching vulnerabilities should not be a solo endeavour in the enterprise and, if it is, it may be time to talk to your leadership about staffing and tooling changes.”

Zero-days

Among the bumper crop of vulnerabilities are no less than eight zero-days, three that are known to have been exploited in the wild, and 11 critical flaws.

This month’s zero-days are as follows:

  • CVE-2025-21333, an elevation of privilege (EoP) vuln in Windows Hyper-V NT Kernel VSP;
  • CVE-2025-21334, a second EoP vulnerability in the same service;
  • CVE-2025-21335, a third EoP vulnerability in the same service.

These flaws in Windows Hyper-V NT Kernel VSP are known to have been exploited in the wild, but these exploits have not yet been made public, while for the remaining five, the opposite is true. These are:

Saaed Abbasi, vulnerability manager at the Qualys Threat Research Unit, said timely patching of the Hyper-V issues was critical since they are under active attack.

“They allow an authenticated user to elevate privileges to SYSTEM and let them take complete control of the affected environment,” said Abbasi.

“Usually, moving from guest to host/hypervisor indicates a CVSS [Common Vulnerability Scoring System] scope change, but Microsoft’s current disclosure has not explicitly confirmed this, suggesting further details are needed; this could jeopardise the entire host infrastructure, not just the individual VM [virtual machine].”

A threat actor able to achieve SYSTEM-level privileges is a grave concern to defenders, because it opens the door to other actions – such as disabling on-board security tooling, or credential dumping to pivot across domains within the target environment. Such techniques are frequently used by both financially motivated cyber criminal gangs and nation-state backed espionage operators.

Does you does or does you don’t take Access?

Meanwhile, Adam Barnett, lead software engineer at Rapid7, ran the rule over the three similar RCE issues in Microsoft Access.

Barnett detailed how successful exploitation – should it occur – would require a user to be fooled into downloading and opening a malicious file, leading to code execution via a heap-based buffer overflow.

“Curiously, in each case, one portion of the advisory FAQ describes the update protection as ‘blocking potentially malicious extensions from being sent in an email’, but the remainder of the advisory doesn’t clarify how this would prevent malicious activity,” said Barnett.

“Typically, patches provide protection by blocking malicious files upon receipt of a malicious email attachment, rather than preventing a malicious attachment from being sent in the first place, since an attacker is free to send whatever they like from any system they control.

“At any rate, the FAQ does mention that users who would otherwise have interacted with a malicious attachment will instead receive a notification that there was an attachment but ‘it cannot be accessed’, which is perhaps the best play on words we’ve seen from MSRC in a while,” he said.

On the spoofing flaw in Windows Themes, Barnett said many admins and users may not think about this feature – which enables users to personalise their desktops with background images, screensavers and so on – very often if at all, but it was still essential to pay close attention to all aspects of the Windows estate.

“Successful exploitation leads to improper disclosure of an NTLM hash, which allows an attacker to impersonate the user from whom it was acquired,” he said.

“The advisory FAQ dances around the exploitation methodology without explaining; what we learn is that once an attacker had somehow delivered a malicious file to the target system, a user would need to manipulate the malicious file, but not necessarily click or open it.

“Without further detail, we can only speculate, but it’s plausible that simply opening a folder containing the file in Windows Explorer – including the Downloads folder – or inserting a USB drive, would be enough to trigger the vulnerability and see your NTLM hash leak silently for collection by the threat actor.”



Source link