Blog

ION Advisory: Microsoft January 2025 Patch Tuesday

The Microsoft January 2025 Patch Tuesday update consists of 209 vulnerabilities for Microsoft products, 12 of these vulnerabilities are rated ‘critical’, with 3 already being exploited.

Active Exploitation

The following critical vulnerabilities are already being actively exploited.

  • CVE-2025-21333 & CVE-2025-21334 CVE-2025-21335Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerabilities – An attacker who successfully exploited these vulnerabilities could gain SYSTEM privileges.

Critical Vulnerabilities

The following critical vulnerabilities have not yet been known to be be actively exploited, or publicly disclosed.

  • CVE-2025-21311Windows NTLM V1 Elevation of Privilege Vulnerability – This vulnerability is remotely exploitable and can be exploited from the internet. The attack complexity is Low; an attacker does not require significant prior knowledge of the system and can achieve repeatable success with the payload against the vulnerable component. Microsoft refers Network security: LAN Manager authentication level for more information for mitigation.
  • CVE-2025-21298Windows OLE Remote Code Execution Vulnerability – An attacker could exploit the vulnerability by sending the specially crafted email to the victim with an affected version of Outlook.
  • CVE-2025-21297 & CVE-2025-21309 Windows Remote Desktop Services Remote Code Execution Vulnerabilities – An attacker could remotely exploit this vulnerabilities of a system with Remote Desktop Gateway role.
  • CVE-2025-21296BranchCache Remote Code Execution Vulnerability – This attack is limited to systems connected to the same network segment as the attacker.
  • CVE-2025-21294Microsoft Digest Authentication Remote Code Execution Vulnerability – An attacker could successfully exploit these vulnerability by connecting to a system which requires digest authentication.
  • CVE-2025-21307Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability – An unauthenticated attacker could exploit the vulnerability by sending specially crafted packets to a Windows Pragmatic General Multicast (PGM) without any interaction from the user.
  • CVE-2025-21295SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Remote Code Execution Vulnerability – Remote code execution without user interaction.
  • CVE-2025-21380Azure Marketplace SaaS Resources Information Disclosure Vulnerability – This vulnerability has already been fully mitigated by Microsoft.
  • CVE-2025-21385Microsoft Purview Information Disclosure Vulnerability – This vulnerability has already been fully mitigated by Microsoft.

Publicly Disclosed Vulnerabilities

The following vulnerabilities have been publicly disclosed, but are not yet known to be actively exploited.

  • CVE-2025-21186 & CVE-2025-21366 & CVE-2025-21395Microsoft Access Arbitrary Code Execution Vulnerabilities – Arbitrary Code Execution (ACE) vulnerabilities, the update blocking malicious files with access file extensions being sent via email(accdb, accde, accdw, accdt, accda, accdr, accdu)
  • CVE-2025-21275Windows App Package Installer Elevation of Privilege Vulnerability – An attacker who successfully exploits this vulnerability could gain SYSTEM privileges.
  • CVE-2025-21308Windows Themes Spoofing Vulnerability – Microsoft recommends restricting outgoing NTLM traffic to remote servers(best practice for systems with NTLM): To enable the policy: Select Computer Configuration > Windows Settings > ** Security Settings** > Local Policies > Security Options. On the right pane, double-click the Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers policy per the options listed below in the Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers documentation.

Countermeasures and Patches

  • Apply patches as soon as possible, after appropriate testing.

References

Sans Report: Microsoft January 2025 Patch Tuesday – SANS Internet Storm Center

Patch-A-Palooza: PatchaPalooza

Sharing
Article By

Advanced Threat Operations Team
Ontinue - ATO

Ontinue’s Advanced Threat Operations (ATO) team leverages proactive threat identification, analysis, and mitigation to empower our customers with the resilience needed to tackle the constantly evolving threat landscape.

Balazs Greksza

Domenico de Vitto

Rhys Downing

Manupriya Sharma