January 2025 Patch Tuesday comes with fixes for 159 vulnerabilities, including 8 zero-days
Welcome to the first Patch Tuesday of the year; let's find out what new surprises and challenges await. This month, there are 159 vulnerabilities, eight of them zero-days. This time, three of the zero-days are being actively exploited.
After an initial discussion about this month’s updates, we’ll offer our advice for devising a plan to handle patch management in a hybrid work environment. You can also register for our free Patch Tuesday webinar and listen to our experts break down Patch Tuesday updates in detail.
What is Patch Tuesday?
Patch Tuesday falls on the second Tuesday of every month. On this day, Microsoft releases security and non-security updates for its operating system and other related applications. Since Microsoft has upheld this process of releasing updates in a periodic manner, IT admins expect these updates and have time to gear up for them.
Why is Patch Tuesday important?
Important security updates and patches to fix critical bugs or vulnerabilities are released on Patch Tuesday. Usually, zero-day vulnerabilities are also fixed during Patch Tuesday unless the vulnerability is critical and highly exploited, in which case an out-of-band security update is released to address that particular vulnerability.
January 2025 Patch Tuesday
Security updates lineup
Here is a breakdown of the vulnerabilities fixed this month:
CVE IDs: 159
Republished CVE IDs: 2 (more details on this below)
Security updates were released for the following products, features, and roles:
.NET
.NET and Visual Studio
.NET, .NET Framework, Visual Studio
Active Directory Domain Services
Active Directory Federation Services
Azure Marketplace SaaS Resources
BranchCache
Internet Explorer
IP Helper
Line Printer Daemon Service (LPD)
Microsoft AutoUpdate (MAU)
Microsoft Azure Gateway Manager
Microsoft Brokering File System
Microsoft Digest Authentication
Microsoft Graphics Component
Microsoft Office
Microsoft Office Access
Microsoft Office Excel
Microsoft Office OneNote
Microsoft Office Outlook
Microsoft Office Outlook for Mac
Microsoft Office SharePoint
Microsoft Office Visio
Microsoft Office Word
Microsoft Purview
Microsoft Windows Search Component
Power Automate
Reliable Multicast Transport Driver (RMCAST)
Visual Studio
Windows BitLocker
Windows Boot Loader
Windows Boot Manager
Windows Client-Side Caching (CSC) Service
Windows Cloud Files Mini Filter Driver
Windows COM
Windows Connected Devices Platform Service
Windows Cryptographic Services
Windows Digital Media
Windows Direct Show
Windows DWM Core Library
Windows Event Tracing
Windows Geolocation Service
Windows Hello
Windows Hyper-V NT Kernel Integration VSP
Windows Installer
Windows Kerberos
Windows Kernel Memory
Windows MapUrlToZone
Windows Message Queuing
Windows NTLM
Windows OLE
Windows PrintWorkflowUserSvc
Windows Recovery Environment Agent
Windows Remote Desktop Services
Windows Secure Boot
Windows Security Account Manager
Windows Smart Card
Windows SmartScreen
Windows SPNEGO Extended Negotiation
Windows Telephony Service
Windows Themes
Windows UPnP Device Host
Windows Virtual Trusted Platform Module
Windows Virtualization-Based Security (VBS) Enclave
Windows Web Threat Defense User Service
Windows Win32K - GRFX
Windows WLAN Auto Config Service
Learn more in the MSRC’s release notes.
Details of the zero-day vulnerabilities
Vulnerable component: Windows Hyper-V NT Kernel Integration VSP
Impact: Elevation of privilege
CVSS 3.1: 7.8
These vulnerabilities allow attackers to execute arbitrary code with elevated privileges on affected systems. Per Microsoft, "An attacker who successfully exploited this vulnerability could gain SYSTEM privileges."
While these vulnerabilities are being actively exploited, these haven't been publicly disclosed before.
- CVE-2025-21186, CVE-2025-21366, CVE-2025-21395
Vulnerable component: Microsoft Access
Impact: Remote Code Execution
CVSS 3.1: 7.8
As of now, the vulnerabilities have been publicly disclosed, but there have been no recorded instances of exploitation. The updates released potentially block certain types of malicious extensions from being sent via email. The extensions are:
accdb
accde
accdw
accdt
accda
accdr
accdu
Vulnerable component: Windows Themes
Impact: Spoofing
CVSS 3.1: 6.5
Microsoft states, "An attacker would have to convince the user to load a malicious file onto a vulnerable system, typically by way of an enticement in an Email or Instant Messenger message, and then convince the user to manipulate the specially crafted file, but not necessarily click or open the malicious file."
As for the mitigation, Windows systems that have NTLM disabled in them are not affected by the vulnerability, while the other systems need to block the NTLM hash by applying an existing Group Policy, for which details can be found here.
Vulnerable component: Windows App Package Installer
Impact: Elevation of Privilege
CVSS 3.1: 7.8
This vulnerability has also been publicly disclosed, yet no instances of active exploitation have been noted. Microsoft has stated that the attackers can gain SYSTEM privileges by exploiting the vulnerability.
Republished CVE IDs
Besides the vulnerabilities fixed in this month’s Patch Tuesday, Microsoft has also republished two CVE IDs. These are as follows:
Some third-party vendors such as Adobe, Cisco, SAP, Fortinet, and Ivanti have also released updates this January.
Most organizations have opted to embrace remote work even after they have been cleared to return to the office. This decision poses various challenges to IT admins, especially in terms of managing and securing distributed endpoints.
Here are a few pointers to simplify the process of remote patching:
- Disable automatic updates because one faulty patch could bring down the whole system. IT admins can educate end users on how to disable automatic updates on their machines. Patch Manager Plus and Endpoint Central also have a dedicated patch, 105427, that can be deployed to endpoints to ensure that automatic updates are disabled.
- Create a restore point—a backup or image that captures the state of the machines—before deploying big updates like those from Patch Tuesday.
- Establish a patching schedule and keep end users informed about it. It is recommended to set up a time for deploying patches and rebooting systems. Let end users know what needs to be done on their end for trouble-free patching.
- Test the patches on a pilot group of systems before deploying them to the production environment. This will ensure that the patches do not interfere with the workings of other applications.
- Since many users are working from home, they all might be working different hours; in this case, you can allow end users to skip deployment and scheduled reboots. This will give them the liberty to install updates at their convenience and avoid disrupting their work. Our patch management products come with options for user-defined deployment and reboot.
- Most organizations are deploying patches using a VPN. To stop patch tasks from eating up your VPN bandwidth, install Critical patches and security updates first. You might want to hold off on deploying feature packs and cumulative updates since they are bulky updates and consume a lot of bandwidth.
- Schedule the non-security updates and security updates that are not rated Critical to be deployed after Patch Tuesday, such as during the third or fourth week of the month. You can also choose to decline certain updates if you feel they are not required in your environment.
- Run patch reports to get a detailed view of the health status of your endpoints.
For machines belonging to users returning to the office after working remotely, check if they are compliant with your security policies. If not, quarantine them. Install the latest updates and feature packs before deeming your back-to-office machines fit for production. Take inventory of and remove apps that are now obsolete for your back-to-office machines, like remote collaboration software.
With Endpoint Central, Patch Manager Plus, or Vulnerability Manager Plus, you can completely automate the entire process of patch management, from testing patches to deploying them. You can also tailor patch tasks according to your current needs. For a hands-on experience with either of these products, try a free, 30-day trial and keep thousands of applications patched and secure.
Want to learn more about Patch Tuesday updates? Join our experts as they break down this month’s Patch Tuesday updates and offer in-depth analysis. You can also ask our experts questions and get answers to all your Patch Tuesday questions. Register for our free Patch Tuesday webinar.
Ready, get set, patch!
add some information to CVE-2025-21298 as it is CVSS 3.1 Score 9.8.
Good job! Thank you. You may add some information to CVE-2025-21298 as it is CVSS 3.1 Score 9.8. It may be enough to receive a manipulated email and open the preview of it in Outlook to get compromised. Link to MS resource: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21298 Best regards
excelente, Gracias!
"I just updated the database manually, but I still can't find the patch for January 2025. Has it been released yet?