Summary:
As part of the January Microsoft Patch Tuesday, Microsoft addressed 159 flaws, including 8 zero-day flaws, 3 of which are actively being exploited in attacks in the wild. Of the 159 flaws, there are 40 elevation of privilege vulnerabilities, 14 security feature bypass vulnerabilities, 58 remote code execution vulnerabilities, 24 information disclosure vulnerabilities, 20 denial of service vulnerabilities, and 5 spoofing vulnerabilities. 12 of these flaws have been rated a critical level of severity and can enable actors to access sensitive data, elevate privileges, and perform remote code execution on vulnerable systems:

• CVE-2025-21380: Azure Marketplace SaaS Resources Information Disclosure Vulnerability
• CVE-2025-21296: BranchCache Remote Code Execution Vulnerability
• CVE-2025-21294: Microsoft Digest Authentication Remote Code Execution Vulnerability
• CVE-2025-21362 & CVE-2025-21354: Microsoft Excel Remote Code Execution Vulnerability
• CVE-2025-21385: Microsoft Purview Information Disclosure Vulnerability
• CVE-2025-21307: Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability
• CVE-2025-21311: Windows NTLM V1 Elevation of Privilege Vulnerability
• CVE-2025-21298: Windows OLE Remote Code Execution Vulnerability
• CVE-2025-21309 & CVE-2025-21297: Windows Remote Desktop Services Remote Code Execution Vulnerability
• CVE-2025-21295: SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Remote Code Execution Vulnerability

Security Officer Comments:
The three actively exploited zero-day vulnerabilities (CVE-2025-21333, CVE-2025-21334, CVE-2025-21335) pertain to a privilege escalation vulnerability within Windows Hyper-V, which can be exploited to elevate privileges to SYSTEM level on vulnerable devices. While Microsoft has confirmed active exploitation attempts in the wild, no further details on the nature of these attacks have been disclosed as of the latest update.

In addition to these three flaws, 5 other zero-day vulnerabilities were addressed by the vendor. This includes a Windows App Package Installer Elevation Privilege vulnerability (**CVE-2025-21275)** which could allow malicious actors to escalate privileges to the SYSTEM level.

Additionally, a Windows theme vulnerability, CVE-2025-21308, was resolved. This flaw could be exploited simply by displaying a specially crafted theme file in Windows Explorer. Discovered by Blaz Satler with 0patch by ACROS Security, this vulnerability is a bypass for a previously identified issue, CVE-2024-38030. The flaw arises when a theme file containing a network file path in its BrandImage and Wallpaper settings is viewed. This triggers Windows to automatically send authentication requests to the remote host, including the logged-in user's NTLM credentials. These hashes can then be cracked to reveal the plaintext password or used in pass-the-hash attacks. Microsoft notes that the flaw can be mitigated by either disabling NTLM or enabling the "Restrict NTLM: Outgoing NTLM traffic to remote servers" policy.

The other 3 zero-day flaws addressed are remote code execution vulnerabilities (CVE-2025-21186, CVE-2025-21366, CVE-2025-21395) in Microsoft Access, and can be exploited through the use of specifically crafted Microsoft Access documents. Microsoft says it has mitigated the bug by blocking access to the following Microsoft Access documents if they were sent via email: accdb, accde, accdw, accdt, accda, accdr, accdu.

Suggested Corrections:
Organizations should review the list of vulnerabilities resolved and apply the relevant patches as needed. To access the full list of vulnerabilities addressed, please use the link down below:

https://www.bleepingcomputer.com/mi...rts/Microsoft-Patch-Tuesday-January-2025.html

Link(s):
https://www.bleepingcomputer.com/ne...25-patch-tuesday-fixes-8-zero-days-159-flaws/