Microsoft<\/strong> today unleashed updates to plug a whopping 161 security vulnerabilities in Windows<\/strong> and related software, including three \u201czero-day\u201d weaknesses that are already under active attack. Redmond\u2019s inaugural Patch Tuesday of 2025 bundles more fixes than the company has shipped in one go since 2017.<\/p>\n Rapid7<\/strong>\u2018s Adam Barnett<\/strong> says January marks the fourth consecutive month where Microsoft has published zero-day vulnerabilities on Patch Tuesday without evaluating any of them as critical severity at time of publication. Today also saw the publication of nine critical remote code execution (RCE) vulnerabilities.<\/p>\n The Microsoft flaws already seeing active attacks include CVE-2025-21333<\/a>, CVE-2025-21334<\/a> and, you guessed it\u2013 CVE-2025-21335<\/a>. These are sequential because all reside in Windows Hyper-V<\/strong>, a component that is heavily embedded in modern Windows 11<\/strong> operating systems and used for security features including device guard and credential guard.<\/p>\n Tenable\u2019s Satnam Narang<\/strong> says little is known about the in-the-wild exploitation of these flaws, apart from the fact that they are all \u201cprivilege escalation\u201d vulnerabilities. Narang said we tend to see a lot of elevation of privilege bugs exploited in the wild as zero-days in Patch Tuesday because it\u2019s not always initial access to a system that\u2019s a challenge for attackers as they have various avenues in their pursuit.<\/p>\n \u201cAs elevation of privilege bugs, they\u2019re being used as part of post-compromise activity, where an attacker has already accessed a target system,\u201d he said. \u201cIt\u2019s kind of like if an attacker is able to enter a secure building, they\u2019re unable to access more secure parts of the facility because they have to prove that they have clearance. In this case, they\u2019re able to trick the system into believing they should have clearance.\u201d<\/span><\/p>\n Several bugs addressed today earned CVSS (threat rating) scores of 9.8 out of a possible 10, including CVE-2025-21298<\/a>, a weakness in Windows that could allow attackers to run arbitrary code by getting a target to open a malicious .rtf<\/strong> file, documents typically opened on Office applications like Microsoft Word. Microsoft has rated this flaw \u201cexploitation more likely.\u201d<\/p>\n Bob Hopkins<\/strong> at Immersive Labs<\/strong> called attention to the CVE-2025-21311<\/a>, a 9.8 \u201ccritical\u201d bug in Windows NTLMv1<\/strong> (NT LAN Manager version 1), an older Microsoft authentication protocol that is still used by many organizations.<\/p>\n \u201cWhat makes this vulnerability so impactful is the fact that it is remotely exploitable, so attackers can reach the compromised machine(s) over the internet, and the attacker does not need significant knowledge or skills to achieve repeatable success with the same payload across any vulnerable component,\u201d Hopkins wrote.<\/p>\n Kev Breen<\/strong> at Immersive points to an interesting flaw (CVE-2025-21210<\/a>) that Microsoft fixed in its full disk encryption suite Bitlocker<\/strong> that the software giant has dubbed \u201cexploitation more likely.\u201d Specifically, this bug holds out the possibility that in some situations the hibernation image created when one closes the laptop lid on an open Windows session may not be fully encrypted and could be recovered in plain text.<\/p>\n \u201cHibernation images are used when a laptop goes to sleep and contains the contents that were stored in RAM at the moment the device powered down,\u201d Breen noted. \u201cThis presents a significant potential impact as RAM can contain sensitive data (such as passwords, credentials and PII) that may have been in open documents or browser sessions and can all be recovered with free tools from hibernation files.\u201d<\/p>\n Tenable\u2019s Narang also highlighted a trio of vulnerabilities in Microsoft Access<\/strong> fixed this month and credited to Unpatched.ai, a security research effort that is aided by artificial intelligence looking for vulnerabilities in code. Tracked as CVE-2025-21186<\/a>, CVE-2025-21366<\/a>, and CVE-2025-21395<\/a>, these are remote code execution bugs that are exploitable if an attacker convinces a target to download and run a malicious file through social engineering. Unpatched.ai was also credited with discovering a flaw in the December 2024 Patch Tuesday release (CVE-2024-49142<\/a>).<\/p>\n \u201cAutomated vulnerability detection using AI has garnered a lot of attention recently, so it\u2019s noteworthy to see this service being credited with finding bugs in Microsoft products,\u201d Narang observed. \u201cIt may be the first of many in 2025.\u201d<\/p>\n If you\u2019re a Windows user who has automatic updates turned off and haven\u2019t updated in a while, it\u2019s probably time to play catch up. Please consider backing up important files and\/or the entire hard drive before updating. And if you run into any problems installing this month\u2019s patch batch, drop a line in the comments below, please.<\/p>\n Further reading on today\u2019s patches from Microsoft:<\/p>\n Tenable blog<\/a><\/p>\n SANS Internet Storm Center<\/a><\/p>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2022\/07\/winupdatedate.png?resize=749%2C496&ssl=1\")
<\/p>\n