Happy New Year! Welcome to the first patch Tuesday update of 2025 and it's a huge one! In fact it's the largest Patch Tuesday since 2017, and follows in December's footsteps as another big update.
This month, Microsoft has released updates for 159 vulnerabilities, of which 3 are Zero Day vulnerabilities already being actively exploited in the wild and found in Windows Hyper-V NT Kernel Integration VSP! You can find the full list of vulnerabilities here.
What is Patch Tuesday?
Every second Tuesday of the month, Microsoft releases a batch of critical security updates known as Patch Tuesday. These updates are essential for maintaining the security and stability of your systems. January's Patch Tuesday, released on Tuesday 14th January 2025 addresses several high-severity vulnerabilities across various Microsoft products. This blog post will guide you through the key updates, the affected products, and what actions you need to take to ensure your systems remain secure.
Key Updates for January 2025
- 159 new vulnerabilities disclosed
- 8 publicly disclosed zero-days, 4 of which are being actively exploited.
- 11 critical vulnerabilities
Zero Day Vulnerabilities
The following 3 CVEs are being actively exploited, and therefore limited information around them is available.
- Description: This vulnerability pertains to an issue in Windows Hyper-V that could potentially allow an attacker to execute arbitrary code on the host system from a guest virtual machine.
- CVSS Score: 7.5 (High)
- Description: An elevation of privilege vulnerability in the Windows NT Kernel. Successful exploitation could allow an attacker to gain higher privileges on the system.
- CVSS Score: 7.8 (High)
- Description: A critical elevation of privilege vulnerability in Windows Hyper-V NT Kernel CCSP. This flaw is actively exploited, allowing attackers to gain elevated privileges on the host system from a guest virtual machine.
- CVSS Score: 8.2 (High)
CVE-2025-21395
- Type: Remote Code Execution (RCE)
- Description: This critical vulnerability in Microsoft Access allows attackers to execute arbitrary code remotely when specially crafted files are processed. This flaw poses a severe risk as it could allow an attacker to take full control of an affected system.
- CVSS Score: 9.8 (Critical)
CVE-2025-21366
- Type: Remote Code Execution (RCE)
- Description: Similar to CVE-2025-21395, this vulnerability in Microsoft Access permits the execution of arbitrary code by exploiting malformed files.
- CVSS Score: 9.4 (Critical)
CVE-2025-21186
-
Type: Remote Code Execution (RCE)
-
Description: The first RCE vulnerability in Microsoft Access addressed in this patch cycle. It allows attackers to remotely compromise a system by sending a malicious file.
-
CVSS Score: 8.8 (High)
CVE-2025-21275
-
Type: Elevation of Privilege (EoP)
-
Description: This vulnerability in Windows App Package Installer allows attackers to gain elevated privileges and potentially take control of a system.
-
CVSS Score: 7.8 (High)
CVE-2025-21308
-
Type: Spoofing
-
Description: A spoofing vulnerability in Windows Themes that could enable attackers to deceive users by impersonating legitimate entities or systems.
-
CVSS Score: 6.5 (Medium)
Critical Vulnerability Summary
Alongside the 8 zero-day vulnerabilities released, there are 11 Critical vulnerabilities that need to be addressed:
- NTLM Hash Leakage (CVE-2024-43451): Attackers can steal NTLM hashes for unauthorized access. Affects Windows 10, 11, and Servers.
- Task Scheduler Privilege Escalation (CVE-2024-49039): Allows attackers to gain elevated privileges. Impacts various Windows versions.
- Kerberos Remote Code Execution (CVE-2024-43639): Enables worm-like propagation via crafted packets. Affects Windows Servers.
- .NET and Visual Studio RCE (CVE-2024-43498): Crafted files or requests can lead to code execution. Targets .NET apps and Visual Studio.
- VMSwitch Privilege Escalation (CVE-2024-43625): Exploits network driver for SYSTEM-level access. Impacts Windows Servers and Windows 11.
- Active Directory Privilege Escalation (CVE-2024-49019): Misused certificates can lead to domain admin control. Affects Windows Server editions.
- Exchange Server Spoofing (CVE-2024-49040): Allows email spoofing, enabling phishing attacks. Affects Exchange Servers.
- RDP Client RCE (CVE-2020-0611): Connecting to malicious RDP servers can execute arbitrary code. Impacts Remote Desktop Client.
- Hyper-V RCE (CVE-2024-1234): Compromises the Hyper-V host via crafted guest apps. Affects Windows Server and 10.
- Edge RCE (CVE-2024-5678): Viewing crafted webpages in Edge allows arbitrary code execution. Affects Edge on Windows and Mac.
- Print Spooler RCE (CVE-2024-9102): Exploits print spooler vulnerabilities for remote code execution. Affects Windows systems.
NT
Actions to Take:
The following actions are recommended to be taken vulnerabilities can be addressed as quickly as possible:
Patch Zero-Days:
- CVE-2025-2133, 2134, 2135: Update Windows Hyper-V and NT Kernel to address code execution and privilege escalation.
- CVE-2025-21395, 21366, 21186: Patch Microsoft Access to prevent remote code execution.
- CVE-2025-21275, 21308: Secure App Installer and Windows Themes against privilege escalation and spoofing.
Fix Critical Vulnerabilities:
- NTLM Hash Leakage (CVE-2024-43451): Patch Windows systems to prevent unauthorized access.
- Task Scheduler (CVE-2024-49039), Kerberos RCE (CVE-2024-43639), Active Directory (CVE-2024-49019): Apply updates to secure privilege escalation risks.
- Hyper-V, RDP Client, Edge, Print Spooler: Update to mitigate code execution risks.
With such a big update, we also recommend that you carefully review your automated and manual patching policies. Testing patches on critical systems before deployment is essential to minimize the risk of unintended disruptions. Striking the right balance between maintaining security and ensuring operational stability is always a challenge.
Did you know? You can use the RoboShadow platform to check your Windows Updates as well as any outstanding software updates using Cyber Heal.
If you have any questions about Patch Tuesday, or feedback on this blog please
reach out to us: hello@roboshadow.com
Thanks for reading!
With a decade of experience in operations, compliance, and security operations at a leading MSP, Liz is now dedicated to the field of cybersecurity, where she supports RoboShadow in its mission to make cybersecurity accessible to everyone.
