Microsoft addressed a record-breaking 161 vulnerabilities in its January 2025 security update. It includes three critical zero-day flaws actively exploited in attacks. This update comes after the December 2024 Chromium-based Edge browser update in which seven vulnerabilities were patched.
Out of these 161 vulnerabilities, 11 are rated critical, indicating they can be exploited remotely by an attacker to execute arbitrary code on a victim’s machine or compromise systems. The other 149 flaws are rated important, meaning they could potentially allow attackers to gain privileges or cause a DoS condition.
Three of the most severe vulnerabilities, CVE-2025-21333, CVE-2025-21334, and CVE-2025-21335, exist in Windows Hyper-V NT Kernel Integration VSP. These flaws could grant an attacker SYSTEM privileges on a vulnerable machine and have already been weaponized by attackers.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added these vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to patch their systems by February 4, 2025.
One of critical vulnerabilities (CVE-2025-21298) addressed resides in Windows Object Linking and Embedding (OLE) and could allow attackers to execute remote code on a victim’s machine by sending a specially crafted email. This flaw can be exploited by either convincing a victim to open a malicious email or by having a victim’s email client preview a malicious email. Microsoft has recommended that users read email messages in plain text format and avoid opening RTF attachments from untrusted sources to mitigate this risk.
As there is no requirement for valid credentials for this vulnerability, security researchers warn that the widespread exploitation of this vulnerability could be severe.
Another critical flaw (CVE-2025-21295) closed exists in the SPNEGO Extended Negotiation (NEGOEX) security mechanism and could allow unauthenticated attackers to remotely execute malicious code on affected systems. This vulnerability highlights the need for immediate patching and vigilant mitigation measures due to the potential for widespread impact.
An information disclosure flaw (CVE-2025-21210) impacts Windows BitLocker that could potentially reveal sensitive data stored in RAM by allow attackers to recover hibernation images in plain text if they have physical access to a victim’s machine has also been addressed.
To summarize, this Microsoft security update addresses a significant number of high-risk vulnerabilities, and system administrators are urged to patch their systems as soon as possible. Especially critical are the zero-day vulnerabilities that have already been exploited in attacks. Applying the security patches and implementing best practices like disabling unnecessary features and following security advice regarding emails can significantly reduce the risk of cyberattacks.
