Microsoft definitely didn’t want to waste any time jumping into 2025 patching 161 CVEs with the January Patch Tuesday. There are 159 CVEs issued by Microsoft, 1 by CERT CC, and 1 by GitHub.
11 of the 161 CVEs jumped out at me today. Specifically, 3 vulnerabilities with CVSS Scores of 9.8, 3 vulnerabilities that are reported as Exploitation Detected, and 5 vulnerabilities that have been publicly disclosed. If you’re struggling on where to start prioritizing these, start with the three Windows Hyper-V vulnerabilities that were reported as exploitation detected – CVE-2025-21335, CVE-2025-21334, and CVE-2025-21333. All three of these vulnerabilities could allow an authenticated attacker to elevate their privileges to SYSTEM.
This is definitely one of those months where admins need to step back, take a deep breath, and determine their plan of attack. While a large number of these vulnerabilities will be resolved by the Windows cumulative update, there is a plethora of other software impacted including a number of Office products (Word, Excel, Access, Outlook, Visio, and SharePoint) as well as other Microsoft products like .NET, .NET Framework, and Visual Studio.
A couple of pieces of software that admins may not be expecting to see show up this month. Their appearance in the Microsoft release notes is so rare, that admins may not even know everywhere that they are installed. This includes the On-Premises Data Gateway for PowerBI as well as Power Automate for Desktop. This is a great time to check your asset inventory software and determine if and where you are affected.
With three CVSS 9.8s this month, it is worthwhile to take a bit of a closer look at each of them.
CVE-2025-21311 describes a vulnerability in Windows NTLMv1 that impacts Windows 11, Windows Server 2022, and Windows Server 2025. Microsoft has indicated that there is a mitigation available for those that cannot patch, which involves changing the value of HKLM\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel to 5. This will restrict the system to NTLMv2 and disable NTLMv1.
CVE-2025-21307 describes an unauthenticated remote code execution vulnerability in the Windows Reliable Multicast Transport Driver (RMCAST) when listening on a Pragmatic General Multicast (PGM) port. If you do not have PGM installed or have no programs listening over PGM, then you are not impacted by this vulnerability.
CVE-2025-21298 describes a code execution vulnerability in Windows OLE. While this is called a remote network attack, the actual vector is via email and not a service listening on the network. The Microsoft Outlook preview pane is a valid attack vector, which lends itself to calling this a remote attack. Consider reading all emails in plain text to avoid vulnerabilities like this one.
At the end of the day, months like these are a great remaindering that admins need to trust their vendors and their tooling. Fixing 161 vulnerabilities cannot be a fully manual process. Especially since we know that more than just Microsoft patches are dropping today. Adobe, as an example, as dropped updates for Photoshop, Substance3D Stager, Illustrator for iPad, Animate, and Adobe Substance3D Designer. Patching vulnerabilities should not be a solo endeavour in the enterprise and, if it is, it may be time to talk to your leadership about staffing and tooling changes.
Click here for more Patch Tuesday analysis.
Cybercrime Intelligence Shouldn't Be Siloed
Fortra® experts are dedicated to protecting organizations and the public by delivering the latest insights, data, and defenses to strengthen security against emerging cyber threats.
