Microsoft Patch Tuesday January 2025
Microsoft Patch Tuesday January 2025
Summary
This months Patch Tuesday has security updates to fix 8 zero-day vulnerabilities with 3 of them being actively exploited, 10 critical vulnerabilities and a total of 159 vulnerabilities.
The most important patches are:
CVE-2025-21333, CVE-2025-21334, CVE-2025-21335 – A local privilege escalation vulnerability exists in Windows Hyper-V NT Kernel Integration VSP. This vulnerability allows an attacker with low privileges to gain SYSTEM-level access on the affected Hyper-V host. The vulnerability is associated with a Heap-based Buffer Overflow and requires minimal attack complexity with no user interaction for successful exploitation. CVSS v3.1: 7.8 (High)
CVE-2025-21275 – A Windows App Package Installer Elevation of Privilege Vulnerability has been identified. This vulnerability allows a local attacker with low privileges to potentially gain higher privileges on an affected system. The attack complexity is low, and no user interaction is required. The vulnerability affects Windows systems and is related to improper authorization. CVSS v3.1 7.8 (High)
CVE-2025-21308 – Windows Themes Spoofing Vulnerability. The vulnerability requires network access and user interaction, with low attack complexity and no privileges required. It primarily impacts confidentiality but does not affect integrity or availability. The attack vector is through the network, meaning the attacker doesn’t need local access to the target system. User interaction is required, suggesting that the attack might involve social engineering tactics to trick users into interacting with a malicious element. CVSS v3.1: 6.5 (Medium)
CVE-2025-21186, CVE-2025-21366, CVE-2025-21395 – Microsoft Access Remote Code Execution Vulnerability. If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code on the target system with the same privileges as the user running Microsoft Access. This could lead to unauthorized access to sensitive information, modification of data, or complete system compromise. The attacker could potentially install programs, view, change, or delete data, or create new accounts with full user rights. The impact on confidentiality, integrity, and availability is high, which means sensitive data could be exposed, altered, or made unavailable. CVSS v3.1: 7.8 (High)
The patches this month break down as follows:
- 40 Elevation of Privilege Vulnerabilities
- 14 Security Feature Bypass Vulnerabilities
- 58 Remote Code Execution Vulnerabilities
- 24 Information Disclosure Vulnerabilities
- 20 Denial of Service Vulnerabilities
- 5 Spoofing Vulnerabilities