News
Microsoft's Massive First Patch of 2025 Includes 8 Zero-Day Flaw Fixes
Microsoft’s first Patch Tuesday of 2025 has arrived, and it's a big one. Microsoft addressed 159 vulnerabilities, including eight zero-day flaws, three of which have been actively exploited in the wild.
Top priority should be the three zero-day vulnerabilities in active exploit, which all revolve around Windows Hyper V. If exploited, the Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege vulnerabilities (CVE-2025-21333, CVE-2025-21334, CVE-2025-21335) enable authenticated attackers to execute code with SYSTEM privileges, posing a significant security risk to systems running Windows 10, Windows 11 and all supported Windows Server editions.
The harm caused by attackers exploiting any of these three can be high for an organization, according to Mike Walters, president of security firm Action1. In an emailed statement, he broke down some of the impacts and further compromises attackers can leverage against a target:
Potential impacts include:
- Accessing and manipulating virtual machines on the host.
- Stealing sensitive data or credentials.
- Moving laterally within the network to target other systems.
- Disrupting critical services by modifying configurations or deploying malicious code.
Attackers can combine these vulnerabilities with others to increase impact, such as:
- Installing persistent malware (e.g., rootkits) for long-term access.
- Combining with remote code execution vulnerabilities for remote exploitation.
- Extracting credentials for further attacks.
- Disabling security mechanisms to evade detection.
- Targeting development environments to inject malicious code into software.
- Using compromised hosts to launch attacks against database servers, domain controllers, or other systems.
Remaining Zero-Day Flaws
The other five zero-days patched in this release, while not exploited in the wild, should be patched as soon as possible, as exploits may be just around the corner.
- Windows App Package Installer Elevation of Privilege Vulnerability (CVE-2025-21275): This flaw could allow attackers to gain system-level access if exploited.
- Windows Themes Spoofing Vulnerability (CVE-2025-21308): Attackers can take advantage of this flaw by tricking a target into manipulating a malicious email.
- Microsoft Access Remote Code Execution Vulnerabilities (CVE-2025-21186, CVE-2025-21366, CVE-2025-21395): The final three zero-day flaws updates all block specific potential extensions from being sent in an email.
January "Critical" Bulletins
Once the eight zero-day items are patched, it's recommended that IT that does not have auto patching enabled tackle the eleven bulletin items rated "critical." Microsoft defines critical bulletins as those that would have a major impact on an environment, if exploited by attackers. Here are the critical items for January:
- CVE-2025-21380: Azure Marketplace SaaS Resources information disclosure vulnerability.
- CVE-2025-21296: BranchCache remote code execution vulnerability.
- CVE-2025-21294: Microsoft Digest Authentication remote code execution vulnerability.
- CVE-2025-21385: Microsoft Purview information disclosure vulnerability.
- CVE-2025-21295: SPNEGO Extended Negotiation (NEGOEX) Security Mechanism remote code execution vulnerability.
- CVE-2025-21178: Visual Studio remote code execution vulnerability.
- CVE-2025-21311: Windows NTLM V1 elevation of privilege vulnerability.
- CVE-2025-21298: Windows OLE remote code execution vulnerability.
- CVE-2025-21307: Windows Reliable Multicast Transport Driver (RMCAST) remote code execution vulnerability.
- CVE-2025-21297: Windows Remote Desktop Services remote code execution vulnerability.
- CVE-2025-21309: Windows Remote Desktop Services remote code execution vulnerability.
A full list of this month's bulletins can be found here.