Particle.news
Download on the App Store

Microsoft's January 2025 Patch Tuesday Fixes 8 Zero-Days and 159 Vulnerabilities

The update addresses actively exploited privilege-escalation flaws in Hyper-V and critical remote code execution issues across Windows and Office applications.

Overview

  • Microsoft's January 2025 security update resolves 159 vulnerabilities, including eight zero-day flaws, with three already exploited in the wild.
  • Three critical privilege-escalation vulnerabilities in Hyper-V (CVE-2025-21333, CVE-2025-21334, CVE-2025-21335) allow attackers to gain SYSTEM privileges but are not guest escapes.
  • Critical remote code execution flaws include a Windows OLE vulnerability (CVE-2025-21298) triggered by opening malicious emails and a PGM networking issue (CVE-2025-21307) exploitable via crafted packets.
  • Microsoft also fixed vulnerabilities in Excel, Remote Desktop Services, and NTLMv1 authentication, recommending mitigation strategies alongside patches.
  • Other vendors, including Adobe, Cisco, and SAP, released updates addressing critical vulnerabilities in their products as part of broader January security efforts.