< Go Back
Blog

ION Advisory: Microsoft January 2025 Patch Tuesday

Published January 15, 2025 Last Updated on October 23, 2025

The Microsoft January 2025 Patch Tuesday update consists of 209 vulnerabilities for Microsoft products, 12 of these vulnerabilities are rated ‘critical’, with 3 already being exploited.

Active Exploitation

The following critical vulnerabilities are already being actively exploited.

  • CVE-2025-21333 & CVE-2025-21334 CVE-2025-21335Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerabilities – An attacker who successfully exploited these vulnerabilities could gain SYSTEM privileges.

Critical Vulnerabilities

The following critical vulnerabilities have not yet been known to be be actively exploited, or publicly disclosed.

  • CVE-2025-21311Windows NTLM V1 Elevation of Privilege Vulnerability – This vulnerability is remotely exploitable and can be exploited from the internet. The attack complexity is Low; an attacker does not require significant prior knowledge of the system and can achieve repeatable success with the payload against the vulnerable component. Microsoft refers Network security: LAN Manager authentication level for more information for mitigation.
  • CVE-2025-21298Windows OLE Remote Code Execution Vulnerability – An attacker could exploit the vulnerability by sending the specially crafted email to the victim with an affected version of Outlook.
  • CVE-2025-21297 & CVE-2025-21309 Windows Remote Desktop Services Remote Code Execution Vulnerabilities – An attacker could remotely exploit this vulnerabilities of a system with Remote Desktop Gateway role.
  • CVE-2025-21296BranchCache Remote Code Execution Vulnerability – This attack is limited to systems connected to the same network segment as the attacker.
  • CVE-2025-21294Microsoft Digest Authentication Remote Code Execution Vulnerability – An attacker could successfully exploit these vulnerability by connecting to a system which requires digest authentication.
  • CVE-2025-21307Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability – An unauthenticated attacker could exploit the vulnerability by sending specially crafted packets to a Windows Pragmatic General Multicast (PGM) without any interaction from the user.
  • CVE-2025-21295SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Remote Code Execution Vulnerability – Remote code execution without user interaction.
  • CVE-2025-21380Azure Marketplace SaaS Resources Information Disclosure Vulnerability – This vulnerability has already been fully mitigated by Microsoft.
  • CVE-2025-21385Microsoft Purview Information Disclosure Vulnerability – This vulnerability has already been fully mitigated by Microsoft.

Publicly Disclosed Vulnerabilities

The following vulnerabilities have been publicly disclosed, but are not yet known to be actively exploited.

  • CVE-2025-21186 & CVE-2025-21366 & CVE-2025-21395Microsoft Access Arbitrary Code Execution Vulnerabilities – Arbitrary Code Execution (ACE) vulnerabilities, the update blocking malicious files with access file extensions being sent via email(accdb, accde, accdw, accdt, accda, accdr, accdu)
  • CVE-2025-21275Windows App Package Installer Elevation of Privilege Vulnerability – An attacker who successfully exploits this vulnerability could gain SYSTEM privileges.
  • CVE-2025-21308Windows Themes Spoofing Vulnerability – Microsoft recommends restricting outgoing NTLM traffic to remote servers(best practice for systems with NTLM): To enable the policy: Select Computer Configuration > Windows Settings > ** Security Settings** > Local Policies > Security Options. On the right pane, double-click the Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers policy per the options listed below in the Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers documentation.

Countermeasures and Patches

  • Apply patches as soon as possible, after appropriate testing.

References

Sans Report: Microsoft January 2025 Patch Tuesday – SANS Internet Storm Center

Patch-A-Palooza: PatchaPalooza

Sharing

Article By

Advanced Threat Operations Team

Ontinue - ATO

Ontinue’s Advanced Threat Operations (ATO) team leverages proactive threat identification, analysis, and mitigation to empower our customers with the resilience needed to tackle the constantly evolving threat landscape.

Team Member Balazs Greksza Image

Balazs Greksza
Team Member Domenico de Vitto Image

Domenico de Vitto
Team Member Rhys Downing Image

Rhys Downing
Team Member Manupriya Sharma Image

Manupriya Sharma
Keywords

Related Articles

Podcast cover featuring a microphone icon on a gradient purple background. Text reads 'Microsoft Security Tips' and 'Defend Your Time Podcast'.
Blog
CISO Takeaways from the ATO H1 2024 Threat Report

Sep 17, 2024

Listen Now >
Podcast cover featuring a microphone icon on a gradient purple background. Text reads 'Microsoft Security Tips' and 'Defend Your Time Podcast'.
Blog
Defend Your Time: Tackling the LummaC2 Infostealer

Sep 30, 2024

Read More >
A cover design for the "1H 2024 Threat Intelligence Report" by Ontinue, featuring a dark abstract background with colorful digital patterns.
eBook
1H 2024 Threat Intelligence Report

Sep 12, 2024

Read More >
A person viewed from behind, wearing headphones, sitting at a desk with multiple computer screens displaying data and graphs, with the text "ION Threat Advisory" prominently shown in white.
Blog
ION Advisory: Microsoft December 2024 Patch Tuesday

Dec 11, 2024

Read More >
A person interacting with a digital display showing various percentage figures, including "78.2%". The background is blurred, emphasizing the hands on the screen. This image relates to data visualization and analysis.
Blog
Key Findings from Ontinue’s 1H 2024 Threat Intelligence Report

Sep 9, 2024

Read More >