In total, the January 2025 Patch Tuesday consists of 159 Microsoft CVEs, including three that are actively exploited.

Three actively exploited vulnerabilities were fixed in Windows Hyper-V NT Kernel Integration VSP. Windows Hyper-V lets you run multiple operating systems as virtual machines on Windows. Hyper-V specifically provides hardware virtualization, meaning that each virtual machine runs on virtual hardware. The Virtualization Service Provider (VSP) is a component of this virtualization platform, which provides synthetic device support to child partitions over the Virtual Machine Bus.

All three the vulnerabilities in Hyper-V (CVE-2025-21333, CVE-2025-21334, and CVE-2025-21335) have a CVSS score of 7.8 out of 10 and successful exploitation of this vulnerability could provide the attacker with SYSTEM privileges.

Five other vulnerabilities were publicly exposed but have not yet been flagged as actively exploited.

Three of these vulnerabilities were Remote Code Execution (RCE) flaws in Microsoft Access (CVE-2025-21186,  CVE-2025-21366, and CVE-2025-21395) that were found and flagged by unpatched.ai, an initiative to find unknown vulnerabilities with the help of AI. These three also have a CVSS score of 7.8, and it’s important to note that the update only blocks potentially malicious extensions from being sent in an email.

The other zero-days were an elevation of privilege flaw found in Windows App Package Installer (CVE-2025-21275) and a vulnerability in the curl open source library which is used by Windows Themes (CVE-2025-21308), which could lead to improper disclosure of an NTLM hash. Both of these vulnerabilities are flagged with “Exploitation less likely” by Microsoft.

Another important CVE to keep an eye on is CVE-2025-21298, an RCE flaw in Windows Object Linking and Embedding (OLE) with a CVSS score of 9.8 which Microsoft lists as “Critical” and “Exploitation more likely.” Exploitation of the vulnerability might involve either a victim opening a specially crafted email with an affected version of Microsoft Outlook software, or a victim’s Outlook application displaying a preview of a specially crafted email. This could result in the attacker executing remote code on the victim’s machine. As a workaround, Microsoft advises you to read all standard mail in plain text.

Other vendors

Adobe released security updates for several products:

•  Adobe Photoshop
• Adobe Substance3D Stager
• Adobe Illustrator for iPad
• Adobe Animate
• Adobe Substance3D Designer

Beyond Trust released a security advisory for a vulnerability in Privileged Remote Access and Remote Support, which can allow an attacker with existing administrative privileges to inject commands and run as a site user.

• Cisco released security updates for multiple products.
• Google published the Android Security Bulletin for January 2025
• Ivanti released a security advisory for an actively exploited Connect Secure flaw.
• Qlik released security fixes for a Qlik Sense HTTP Tunneling vulnerability.
• SAP released security updates for several products as part of January Patch Day.