“Microsoft Kicks Off the Year with a Security Surge: Tackling 161 Vulnerabilities in January Patch Tuesday”

Interestingly, in every case, a portion of the advisory FAQ describes the update’s protection as “blocking potentially harmful extensions from being transmitted in an email”, but the rest of the advisory does not explain how this would thwart malicious actions. Normally, patches secure systems by blocking harmful files upon receiving a malicious email attachment, rather than preventing an attacker from sending a harmful attachment at the outset, since attackers can send whatever they choose from any system they have access to. Regardless, the FAQ does mention that users who might have otherwise interacted with a harmful attachment will instead receive a notification indicating there was an attachment but “it cannot be accessed”, which perhaps showcases the best play on words we’ve encountered from MSRC in quite some time.

Today, Microsoft is also addressing a sibling trio of Windows Hyper-V NT Kernel Integration VSP elevation of privilege vulnerabilities: CVE-2025-21333, CVE-2025-21334, and CVE-2025-21335. Microsoft is aware of exploitation occurring in the wild for all three vulnerabilities, as noted in both the Microsoft advisories and CISA KEV. In all cases, exploitation escalates privileges to SYSTEM level. The advisories provide limited information beyond a brief acknowledgment of Anonymous — likely an undisclosed entity, rather than the hacktivist collective — in CVE-2025-21333. While we can sometimes deduce context from previous instances, there are no parallels here; there’s no mention of Hyper-V NT Kernel Integration VSP in any vulnerabilities published by Microsoft at least since 2017. A look back to five years ago shows that CVE-2020-16885 does describe a privilege escalation vulnerability in the Windows storage VSP driver, but that also lacks substantial context.

The Virtualization Service Provider (VSP) operates in the root partition of a Hyper-V instance and offers synthetic device support to child partitions via the Virtual Machine Bus (VMBus): it’s how Hyper-V allows child partitions to believe they are real machines. Given that this entire architecture is a security boundary, it is somewhat surprising that Microsoft has not acknowledged any Hyper-V NT Kernel Integration VSP vulnerabilities until today, although it would not be at all unexpected if more vulnerabilities come to light now. The advisories disclosed today do not specify whether the privilege escalation is restricted to SYSTEM within the child partition, but experts in container escape will surely be on the lookout for exploits in this domain.

Many enterprise users or even administrators might overlook Windows Themes often, but consider CVE-2025-21308: a spoofing vulnerability where successful exploitation enables the improper disclosure of an NTLM hash, allowing an attacker to impersonate the user from whom it was obtained. Microsoft doesn’t possess evidence of exploitation occurring in the wild, but it acknowledges public disclosure. The advisory FAQ circumvents a detailed explanation of the exploitation strategy; what it reveals is that once an attacker has somehow delivered a malicious file to the target system, the user would need to interact with the malicious file, without necessarily clicking or opening it. Lacking further details, we can only conjecture, but it’s conceivable that simply opening a directory containing the file in Windows Explorer – including the Downloads folder – or inserting a USB drive could be sufficient to activate the vulnerability and cause the NTLM hash to leak silently for collection by the threat actor.

Some positive development: Microsoft has eliminated NTLMv1 support from Windows 11 24H2 and Server 2025 onwards. Less favorable: it has been a full two months since Microsoft last addressed a zero-day NTLM disclosure vulnerability; that flaw was within MSHTML/Trident, while Windows 11 24H2 and Server 2025 remained susceptible, as NTLMv2 is still universally supported. In the advisory for CVE-2025-21308, Microsoft does refer to documents outlining a mitigation strategy:restricting NTLM traffic. This is certainly worthy of attention, as a representative from the reporting research organization 0patch has verified that NTLMv2 is impacted by CVE-2025-21308.

Installing or upgrading software typically necessitates elevated permissions, and both researchers and malicious actors have been aware of this for quite some time. The advisory for CVE-2025-21275 does not burden us with extensive descriptions; it merely states that successful exploitation results in SYSTEM privileges. Microsoft is informed about the public exposure of this vulnerability, but not regarding active exploitation in the wild. CVE-2025-21275 is the most recent in a long series of Windows Installer elevation of privilege vulnerabilities; Microsoft has now disclosed 37 Windows Installer elevation of privilege susceptibilities in total since early 2020, with only five classified as zero-days, and only CVE-2024-38014 being known by Microsoft to have been exploited before its announcement in September 2024.

Microsoft’s internal research teams are a dependable source of vulnerability detection in Microsoft products, and today, we are presented with patches for the self-identified CVE-2025-21307, a critical RCE in the Windows Reliable Multicast Transport Driver (RMCAST) boasting a CVSSv3 base score of 9.8. The vulnerability can only be exploited on a system where an application is listening on a Pragmatic General Multicast (PGM) port.

By 2025, you might legitimately anticipate that any service a major commercial operating system presents to the network would have at least some form of authentication capacity, yet if that’s the case, brace yourself for disappointment regarding the Windows implementation of PGM. The concept was first detailed in RFC 3208, published in 2001 in an experimental format and has stayed that way. As Microsoft itself articulates, “the PGM specification [RFC3208] is vague in several areas”. Given the absence of necessitated user interaction and remote attack vector for CVE-2025-21307, it’s prudent to ask yourself: does our firewall permit a PGM receiver to accept inbound traffic from the public internet? If it does, the next best moment to obstruct that is right now.

Outlook administrators who compel their users to view emails solely in plain text can bypass this paragraph, but everyone else should take note of CVE-2025-21298, a critical RCE in Windows Object Linking and Embedding (OLE) with a CVSSv3 base score of 9.8. The perpetual danger of harmful incoming email manifests again here; simply previewing the incorrect email in Outlook is sufficient for an attacker to execute code in the context of the user. All versions of Windows receive an update.

In news regarding the Microsoft product life cycle, Visual Studio 2022 17.6 LTSC has received its final update today.