Getty Images/iStockphoto
January Patch Tuesday resolves 3 Hyper-V zero-days
The number of vulnerabilities corrected for January Patch Tuesday is one of the highest in recent memory and includes three Hyper-V vulnerabilities exploited in the wild.
Vacation is over for Microsoft admins who will deal with the highest number of CVEs for a Patch Tuesday in recent memory with three zero-day exploits in Hyper-V drawing the most attention.
Microsoft corrected 159 unique new CVEs with 10 rated critical. The security updates cover a wide range of Microsoft products, such as .NET, Visual Studio and Microsoft Office, but the majority of vulnerabilities reside in the Windows operating system. Of the 10 critical vulnerabilities, eight are in Windows to make the OS updates the priority for admins.
Three Hyper-V zero-day exploits resolved
Organizations that rely on Hyper-V for their virtualized workloads running on later versions of Windows are more susceptible to the three zero-days that were shut down by the January Patch Tuesday security updates.
All three Hyper-V zero-days (CVE-2025-21333, CVE-2025-21334 and CVE-2025-21335) are Windows Hyper-V NT kernel integration Virtualization Service Provider (VSP) elevation-of-privilege vulnerabilities. They have the same CVSS rating of 7.8 and are all rated important. The affected Windows platforms include Windows 10, Windows 11, Windows Server 2022 and Windows Server 2025.
The attacker needs to be on the local network but does not need user interaction to trigger the exploit. If successful, the attacker can acquire system-level privileges on the Windows machine, which is the highest possible level.
"Microsoft confirmed these as exploits in the wild, so from a risk-based prioritization perspective, we would guide people to treat them as critical and give them a higher priority," said Chris Goettl, vice president of product management for security products at Ivanti.
There are no mitigations for these vulnerabilities, meaning patching is the only fix, which makes it imperative for enterprises to apply the security updates to those systems quickly.
Microsoft fixes five publicly disclosed flaws
For January Patch Tuesday, Microsoft also corrected five publicly disclosed vulnerabilities, meaning details about the flaws were widely known before there was a patch.
Three vulnerabilities (CVE-2025-21186, 21395, 21366) are Microsoft Access remote-code execution flaws, all rated important with the same 7.8 CVSS score. The attacker must be on the network and the exploit requires user interaction, such as downloading and running a malicious file.
Applying the security update will prevent files with malicious extensions from email.
"The email recipient will get a notification that there was an attachment but it cannot be accessed," Microsoft wrote in its CVE notes.
Although no public exploit code exists, Goettl said administrators should patch affected systems promptly and warn users not to download untrusted files.
The fourth publicly disclosed vulnerability is a Windows App Package Installer elevation-of-privilege bug (CVE-2025-21275) rated important with a 7.8 CVSS score. This flaw affects newer Windows Oses: Windows 10, Windows 11, Windows Server 2022 and Windows Server 2025.
The attacker needs basic user privileges to exploit the vulnerability. If successful, they could gain system-level privileges to get full access to the machine.
The last publicly disclosed vulnerability is CVE-2025-21308, a spoofing flaw in Windows Themes rated important with a 6.5 CVSS score. This bug affects all currently supported desktop and server versions of Windows.
This vulnerability focuses on a flaw in the NTLM (NT LAN Manager), a legacy authentication protocol that is used as a fallback if a newer protocol, such as Kerberos, is not available. NTLM checks a user's credentials during access requests to devices or applications on the network.
Microsoft offers mitigation advice to admins in the CVE notes with instructions on how to disable NTLM to avoid these types of threats or use group policy to stop NTLM hashes.
"If you still rely on NTLM, even in some legacy use cases, then it's more difficult to try to contain this vulnerability, so updating is the best guidance," Goettl said.
Other security updates of note for January Patch Tuesday
- Windows Object Linking and Embedding (OLE) remote-code execution vulnerability (CVE-2025-21298) has a CVSS score of 9.8 and affects all supported Windows versions. This flaw allows an unauthenticated threat actor to run arbitrary code via specially crafted email that is triggered when a user opens or previews a malicious email in the Microsoft Outlook preview pane.
- Windows NTLM V1 elevation-of-privilege vulnerability (CVE-2025-21311) has a 9.8 CVSS score and affects the latest Windows versions: Windows 11, Windows Server 2022 and Windows Server 2025. Microsoft offers mitigation advice for admins who cannot patch quickly. The vulnerability can be exploited remotely and does not require user interaction. A successful exploit could give the attacker system-level privileges.
- Microsoft Office Excel remote-code execution flaws (CVE-2025-21354 and CVE-2025-21362) both have a CVSS score of 7.8 and are rated critical. Attackers can launch their exploits through the preview pane to raise the chances of success. "If I can just send somebody something and the preview itself is enough to exploit that vulnerability, then it definitely raises that risk," Goettl said.
- Active Directory Domain Services elevation-of-privilege vulnerability (CVE-2025-21293) is rated important with an 8.8 CVSS score. An attacker needs to log into the system and low privileges to trigger the exploit to gain system-level privileges. Goettl said this type of vulnerability is typically used in an exploit chain to launch other attacks.
Microsoft implements Windows hardening upgrades
Microsoft plans to conclude a multi-phase approach it started in May 2022 to strengthen certificate-based authentication in the coming months.
Domain administrators should prepare for the next step coming in February that switches devices to "full enforcement mode." Next month, the domain controller will deny weak certificate mapping and block devices unless the administrator makes a manual change to compatibility mode. Microsoft plans to remove this option in September when it will switch domains to "strong enforcement only."
Administrators should use audit logs and registry settings to find devices without strong mappings before the September deadline.
This Windows hardening process is designed to improve certificate-based authentication on Windows domain controllers after several vulnerabilities were used to spoof machine accounts and produce counterfeit certificates, leading to breaches and other attacks.
In another security upgrade for Windows environments, Microsoft started "enforced mode enabled by default" this month across all systems to resolve vulnerabilities (CVE-2024-26248 and CVE-2024-29056) in the Kerberos Privilege Attribute Certificate (PAC) Validation Protocol. This change prevents attackers from forging PAC signatures, blocking attempts to elevate privileges.
Admins can switch to "compatibility mode" by manually adjusting registry settings if problems arise. Microsoft said it will implement "full enforcement" mode in April, which removes the "compatibility mode" option.
Tom Walat is the site editor for Informa TechTarget Editorial's Windows Server site, where he manages all site content. Walat previously worked for a newspaper in the Greater Boston area.
