January’s Patch Tuesday: Microsoft Fixes 159 Vulnerabilities Across Windows and Office
Yesterday marked a significant update from Microsoft, with the release of the January Patch Tuesday updates addressing 159 security vulnerabilities across several of the company’s products. This is one of the most extensive Patch Tuesdays in recent years, more than doubling the usual number of fixed security flaws. Among the patched vulnerabilities, three were actively being exploited, while five had been publicly disclosed prior to the update.
A majority of the vulnerabilities — 132 in total — impact various versions of Windows 10, Windows 11, and Windows Server. Older versions, like Windows 7 and Windows 8.1, are not covered in the security report, and users running those systems are strongly advised to upgrade to a supported version to continue receiving security updates.
Windows Vulnerabilities Addressed The three vulnerabilities that are actively being exploited are related to Hyper-V. These vulnerabilities (CVE-2025-21333, CVE-2025-21334, and CVE-2025-21335) allow attackers to execute code from a guest system on the host system. The extent of the attacks is still unclear. Additionally, eight critical vulnerabilities have been addressed, including a Windows OLE vulnerability (CVE-2025-21298), which can be exploited via email in Outlook. Remote Desktop Services vulnerabilities (CVE-2025-21297 and CVE-2025-21309) have also been patched, potentially allowing remote attacks without user login.
Microsoft Office Updates Microsoft also addressed 20 vulnerabilities in its Office products, many of which are Remote Code Execution (RCE) vulnerabilities found in Word, Excel, Outlook, OneNote, Visio, and SharePoint Server. Three of these vulnerabilities, affecting Access, are considered zero-days, meaning they were actively exploited before the update.
Microsoft Edge The update for Microsoft Edge, version 131.0.2903.146, addresses a range of vulnerabilities. However, apart from the update catalog, detailed documentation from Microsoft is still pending.
For a deeper dive into these vulnerabilities, Dustin Childs provides additional insights on the Zero Day Initiative blog, targeting administrators managing corporate networks.
The next Patch Tuesday will be on February 11, 2025, marking the next round of security fixes from Microsoft.
