Blog
ION Advisory: Microsoft January 2025 Patch Tuesday
The Microsoft January 2025 Patch Tuesday update consists of 209 vulnerabilities for Microsoft products, 12 of these vulnerabilities are rated ‘critical’, with 3 already being exploited.
Active Exploitation
The following critical vulnerabilities are already being actively exploited.
- CVE-2025-21333 & CVE-2025-21334 CVE-2025-21335 – Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerabilities – An attacker who successfully exploited these vulnerabilities could gain SYSTEM privileges.
Critical Vulnerabilities
The following critical vulnerabilities have not yet been known to be be actively exploited, or publicly disclosed.
- CVE-2025-21311 – Windows NTLM V1 Elevation of Privilege Vulnerability – This vulnerability is remotely exploitable and can be exploited from the internet. The attack complexity is Low; an attacker does not require significant prior knowledge of the system and can achieve repeatable success with the payload against the vulnerable component. Microsoft refers Network security: LAN Manager authentication level for more information for mitigation.
- CVE-2025-21298 – Windows OLE Remote Code Execution Vulnerability – An attacker could exploit the vulnerability by sending the specially crafted email to the victim with an affected version of Outlook.
- CVE-2025-21297 & CVE-2025-21309 Windows Remote Desktop Services Remote Code Execution Vulnerabilities – An attacker could remotely exploit this vulnerabilities of a system with Remote Desktop Gateway role.
- CVE-2025-21296 – BranchCache Remote Code Execution Vulnerability – This attack is limited to systems connected to the same network segment as the attacker.
- CVE-2025-21294 – Microsoft Digest Authentication Remote Code Execution Vulnerability – An attacker could successfully exploit these vulnerability by connecting to a system which requires digest authentication.
- CVE-2025-21307 – Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability – An unauthenticated attacker could exploit the vulnerability by sending specially crafted packets to a Windows Pragmatic General Multicast (PGM) without any interaction from the user.
- CVE-2025-21295 – SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Remote Code Execution Vulnerability – Remote code execution without user interaction.
- CVE-2025-21380 – Azure Marketplace SaaS Resources Information Disclosure Vulnerability – This vulnerability has already been fully mitigated by Microsoft.
- CVE-2025-21385 – Microsoft Purview Information Disclosure Vulnerability – This vulnerability has already been fully mitigated by Microsoft.
Publicly Disclosed Vulnerabilities
The following vulnerabilities have been publicly disclosed, but are not yet known to be actively exploited.
- CVE-2025-21186 & CVE-2025-21366 & CVE-2025-21395 – Microsoft Access Arbitrary Code Execution Vulnerabilities – Arbitrary Code Execution (ACE) vulnerabilities, the update blocking malicious files with access file extensions being sent via email(accdb, accde, accdw, accdt, accda, accdr, accdu)
- CVE-2025-21275 – Windows App Package Installer Elevation of Privilege Vulnerability – An attacker who successfully exploits this vulnerability could gain SYSTEM privileges.
- CVE-2025-21308 – Windows Themes Spoofing Vulnerability – Microsoft recommends restricting outgoing NTLM traffic to remote servers(best practice for systems with NTLM): To enable the policy: Select Computer Configuration > Windows Settings > ** Security Settings** > Local Policies > Security Options. On the right pane, double-click the Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers policy per the options listed below in the Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers documentation.
Countermeasures and Patches
- Apply patches as soon as possible, after appropriate testing.
References
Sans Report: Microsoft January 2025 Patch Tuesday – SANS Internet Storm Center
Patch-A-Palooza: PatchaPalooza