Microsoft’s January Update Contains Record 159 Vulnerabilities, Including Eight Zero-Day Bugs
Microsoft’s January update contains patches for a record 159 vulnerabilities, including eight zero-day bugs, three of which attackers are already actively exploiting.
The update is Microsoft’s largest ever and is notable also for including three bugs that the company said were discovered by an artificial intelligence (AI) platform.
Microsoft assessed 10 of the vulnerabilities disclosed this week as being of critical severity and the remaining ones as important bugs to fix. As always, the patches address vulnerabilities in a wide range of Microsoft technologies, including Windows OS, Microsoft Office, .NET, Azure, Kerberos, and Windows Hyper-V. They include more than 20 remote code execution (RCE) vulnerabilities, nearly the same number of elevation-of-privilege bugs, and an assortment of other denial-of-service flaws, security bypass issues, and spoofing and information disclosure vulnerabilities.
In such an environment, an unauthenticated attacker only needs to send a malicious packet to the server to trigger the vulnerability, Ben McCarthy, lead cybersecurity engineer at Immersive Labs, wrote in emailed comments. Attackers who successfully attack the vulnerability can gain kernel-level access to affected systems, meaning organizations using the protocol need to apply Microsoft’s patch for the flaw immediately, McCarthy added.
CVE-2025-21298 — the third 9.8 severity bug — is an RCE flaw that an attacker would likely exploit via email rather than over the network. “The Microsoft Outlook preview pane is a valid attack vector, which lends itself to calling this a remote attack. Consider reading all emails in plaintext to avoid vulnerabilities like this one,” he noted in emailed comments.
Microsoft’s January 2025 update is in stark contrast to January 2024’s update when the company disclosed just 49 CVEs. According to data from Automox, the company issued patches for 150 CVEs in April 2024, and for 142 in July.
Source Link
