[German]On the Microsoft Security Update Summary (January 14, 2025), Microsoft released security updates for Windows clients and servers, for Office – as well as for other products. The security updates eliminate 159 vulnerabilities (CVEs), eight of which are classified as 0-day. Below is a compact overview of these updates that were released on Patchday.
Notes on the updates
A list of updates can be found on this Microsoft page. Details on the update packages for Windows, Office etc. are available in separate blog posts.
Windows 10/11, Windows Server
All Windows 10/11 updates (as well as the updates for the server counterparts) are cumulative. The monthly Patchday update contains all security fixes for these Windows versions – as well as all non-security fixes up to Patchday. In addition to the security patches for the vulnerabilities, the updates also contain fixes to correct errors or new features.
Windows Server 2012 R2
An ESU license is required for Windows Server 2012 /R2 to receive further security updates (see Windows Server 2012/R2 gets Extended Security Updates (ESU) until October 2026).
Fixed vulnerabilities
Tenable has this blog post with an overview of the vulnerabilities that have been fixed. Here are some of the critical vulnerabilities that have been fixed:
- CVE-2025-21333, CVE-2025-21334, CVE-2025-21335: Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege vulnerability, all with CVEv3 score 7.8, important; An authenticated, local attacker could exploit this vulnerability to gain SYSTEM privileges. According to Microsoft, all three vulnerabilities were exploited as zero-day vulnerabilities, but no details are known.
- CVE-2025-21186, CVE-2025-21366, CVE-2025-21395: Microsoft Access Remote Code Execution vulnerability, CVEv3 Score 7.8, important; An unauthenticated remote attacker could exploit this vulnerability by using social engineering to trick a target into downloading and opening a malicious file. Successful exploitation would grant an attacker arbitrary code execution privileges on the vulnerable system. This update "prevents potentially malicious extensions from being sent in an email". According to Microsoft, these three vulnerabilities were publicly disclosed before a patch was available (zero-days). They are attributed to unpatched.ai, which uses artificial intelligence (AI) to find and analyze vulnerabilities.
- CVE-2025-21308: Windows Themes Spoofing vulnerability, CVEv3 Score 6.5, important; According to Microsoft, an attacker must trick a user into loading a malicious file and manipulating the specially crafted file. Microsoft has provided a list of mitigations, including disabling New Technology LAN Manager (NTLM) or using Group Policy to block NTLM hashes.
- CVE-2025-21275: Windows App Package Installer Elevation of Privilege vulnerability, CVEv3 Score 7.8, important; A local, authenticated attacker could exploit this vulnerability to gain SYSTEM privileges. These types of vulnerabilities are often associated with post-compromise activities after an attacker has penetrated a system by other means. According to Microsoft, this vulnerability was publicly disclosed before a patch was available.
- CVE-2025-21297, CVE-2025-21309: Windows Remote Desktop Services Remote Code Execution vulnerability, CVEv3 Score 8.1, critical; According to Microsoft, an attacker must connect to a system with the Remote Desktop Gateway role and trigger a race condition that creates a use-after-free scenario that can be used to execute arbitrary code.
- CVE-2025-21298: Windows OLE Remote Code Execution vulnerability, CVEv3 Score 9.8, critical; An attacker can exploit this vulnerability by sending a specially crafted email to a target. Successful exploitation would lead to remote code execution on the target system if the target opens this email with a vulnerable version of Microsoft Outlook or if their software is able to preview the email. It is recommended to configure Microsoft Outlook to read emails "in plain text format" and not in a rich format.
A list of all CVEs discovered can be found on this Microsoft page, excerpts are available at Tenable.
Similar articles
Microsoft Security Update Summary (January 14, 2025)
Patchday: Windows 10/11 Updates (January 14, 2025)
Patchday: Windows Server Updates (January 14, 2025)
Patchday: Microsoft Office Updates (January 2025)
Review: Windows Patchday issues January 2025
Windows 10/Server 2022: SgrmBroker service no longer starts after Jan. 2025 update (KB5049981)
Attention: Problems with Windows January 2025 updates and Citrix environments (session recordings)