Microsoft and Adobe Patch Tuesday, January 2025 Security Update Review
Last updated on: January 15, 2025
Table of Contents
- Microsoft Patch Tuesday for January 2025
- Adobe Patches for January 2025
- Zero-day Vulnerabilities Patched in January Patch Tuesday Edition
- Critical Severity Vulnerabilities Patched in January Patch Tuesday Edition
- Other Microsoft Vulnerability Highlights
- Microsoft Release Summary
- EVALUATE Vendor-Suggested Mitigation with Policy Compliance (PC)
- Qualys Monthly Webinar Series
Happy New Year! As the calendar turns to January 2025, Microsoft’s first Patch Tuesday of 2025 has arrived. From zero-days to critical vulnerabilities, here’s what deserves your attention. Here’s a breakdown of what’s been patched.
Microsoft Patch Tuesday for January 2025
Microsoft Patch’s Tuesday, January 2025 edition addressed 159 vulnerabilities, including 10 critical and 149 important severity vulnerabilities. In this month’s updates, Microsoft has addressed eight zero-day vulnerabilities, three of which have been actively exploited in attacks.
Microsoft has not addressed any vulnerability in Microsoft Edge (Chromium-based) in this month’s updates.
Microsoft Patch Tuesday, January edition includes updates for vulnerabilities in .NET, .NET and Visual Studio, Microsoft Windows Search Component, Windows Installer, Windows Kerberos, Windows Kernel Memory, Windows Remote Desktop Services, Windows Secure Boot, and more.
Microsoft has fixed several flaws in multiple software, including Spoofing, Denial of Service (DoS), Elevation of Privilege (EoP), Information Disclosure, and Remote Code Execution (RCE).
The January 2025 Microsoft vulnerabilities are classified as follows:
| Vulnerability Category | Quantity | Severities |
| Spoofing Vulnerability | 5 | Important: 5 |
| Denial of Service Vulnerability | 20 | Important: 20 |
| Elevation of Privilege Vulnerability | 40 | Critical: 1 Important: 39 |
| Information Disclosure Vulnerability | 22 | Important: 22 |
| Remote Code Execution Vulnerability | 58 | Critical: 9 Important: 49 |
| Security Feature Bypass | 14 | Important: 14 |
Adobe Patches for January 2025
Adobe has released five security advisories to address 14 vulnerabilities in Substance 3D Stager, Adobe Photoshop, Adobe Illustrator on iPad, Substance 3D Designer, and Adobe Animate. All of these vulnerabilities are given critical severity ratings. Successful exploitation of these vulnerabilities may lead to arbitrary code execution.
Zero-day Vulnerabilities Patched in January Patch Tuesday Edition
CVE-2025-21333, CVE-2025-21334, & CVE-2025-21335: Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability
Windows Hyper-V NT Kernel Integration VSP refers to the Virtualization Service Provider component within the Hyper-V virtualization platform on Windows. The tool acts as a bridge between the Hyper-V hypervisor and the Windows NT kernel, allowing seamless communication and management of virtual machines running on the host system.
Successful exploitation of the vulnerability could allow an attacker to SYTEM privileges.
CVE-2025-21366, CVE-2025-21395, & CVE-2025-21186: Microsoft Access Remote Code Execution Vulnerability
Microsoft Access is a database management system (DBMS) that helps users store, organize, and analyze data. Microsoft Access stores data in its format, or it can import or link to data from other applications.
Microsoft addressed the vulnerabilities by blocking access to the following extensions:
- accdb
- accde
- accdw
- accdt
- accda
- accdr
- accdu
CVE-2025-21275: Windows App Package Installer Elevation of Privilege Vulnerability
A Windows App Package Installer, often called App Installer, is a built-in component of the Windows operating system that allows users to install applications easily.
An attacker could gain SYSTEM privileges upon successful exploitation of the vulnerability.
CVE-2025-21308: Windows Themes Spoofing Vulnerability
Windows themes are a combination of colors, sounds, and pictures that you can use to personalize your Windows PC.
Successful exploitation of the vulnerability requires an attacker to convince the user to load a malicious file onto a vulnerable system.
Critical Severity Vulnerabilities Patched in January Patch Tuesday Edition
CVE-2025-21294: Microsoft Digest Authentication Remote Code Execution Vulnerability
Microsoft Digest Authentication is a security mechanism that uses a challenge-response protocol to verify user credentials without sending the actual password in plain text over the network.
An attacker must win a race condition to exploit the vulnerability. An attacker could exploit this vulnerability by connecting to a system that requires digest authentication. This will trigger the race condition to create a use-after-free scenario, leading to arbitrary code execution.
CVE-2025-21295: SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Remote Code Execution Vulnerability
SPNEGO Extended Negotiation (NEGOEX) is a security mechanism that extends the Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) capabilities. The mechanism allows clients and servers to negotiate a standard authentication protocol based on additional metadata like trust configurations.
An attacker must manipulate system operations in a specific manner to exploit the vulnerability. Upon successful exploitation, an attacker could achieve remote code execution without user interaction.
CVE-2025-21296: BranchCache Remote Code Execution Vulnerability
BranchCache is a Windows feature that optimizes wide area network (WAN) bandwidth by caching content on local computers in branch offices.
An attacker must win a race condition to exploit the vulnerability.
CVE-2025-21297 & CVE-2025-21309: Windows Remote Desktop Services Remote Code Execution Vulnerability
Windows Remote Desktop Services (RDS) is a Microsoft feature that allows users to access and control a remote computer’s desktop and applications over a network connection.
An attacker must win a race condition to exploit the vulnerabilities. An attacker could exploit these vulnerabilities by connecting to a system with the Remote Desktop Gateway role. Then, it would trigger the race condition to create a use-after-free scenario, ultimately leading to arbitrary code execution.
CVE-2025-21298: Windows OLE Remote Code Execution Vulnerability
Object Linking and Embedding (OLE) is a Microsoft Windows standard that allows users to create and edit documents that contain objects from multiple applications.
An attacker may exploit the vulnerability in an email attack scenario by sending a specially crafted email to the victim. The victim must open a specially crafted email with an affected Microsoft Outlook software version for successful exploitation. Upon successful exploitation, an attacker can achieve remote code execution on the victim’s machine.
CVE-2025-21307: Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability
The Windows Reliable Multicast Transport Driver (RMCAST) is a component within the Windows operating system that enables reliable multicast data transmission.
An unauthenticated attacker could exploit the vulnerability by sending specially crafted packets to a Windows Pragmatic General Multicast (PGM) open socket on the server without any interaction from the user.
CVE-2025-21311: Windows NTLM V1 Elevation of Privilege Vulnerability
Windows NTLM V1 (NT LAN Manager Version 1) is a Microsoft authentication protocol used for network logins on Windows systems.
Successful exploration of the vulnerability could allow an attacker to escalate privileges.
CVE-2025-21354 & CVE-2025-21362: Microsoft Excel Remote Code Execution Vulnerability
Microsoft Excel is a spreadsheet program that helps users organize and analyze data. It’s available on Windows, macOS, Android, iOS, and iPadOS.
Successful exploitation of the vulnerability could allow an attacker to achieve remote code execution of vulnerable targets.
Other Microsoft Vulnerability Highlights
- CVE-2025-21210 is an information disclosure vulnerability in Windows BitLocker. Successful exploitation of the vulnerability could allow an attacker to disclose unencrypted hibernation images in cleartext.
- CVE-2025-21268, CVE-2025-21219, CVE-2025-21189, CVE-2025-21328, & CVE-2025-21329 are security feature bypass vulnerabilities in MapUrlToZone. Upon successful exploitation, an attacker could bypass the MapURLToZone method to view some sensitive information.
- CVE-2025-21269 is a security feature bypass vulnerability in Windows HTML Platforms. Successful exploitation of the vulnerability could allow an attacker to view some sensitive information.
- CVE-2025-21292 is an elevation of privilege vulnerability in Windows Search Service. Successful exploitation of the vulnerability could allow an attacker to gain SYSTEM privileges.
- CVE-2025-21299 is a security feature bypass vulnerability in Windows Kerberos. Successful exploitation of the vulnerability could allow an attacker to bypass Windows Defender Credential Guard Feature to leak Kerberos Credential.
- CVE-2025-21314 is a spoofing vulnerability in Windows SmartScreen. To successfully exploit the vulnerability, an attacker must send the victim a malicious file that the victim would have to execute.
- CVE-2025-21315 is an elevation of privilege vulnerability in the Microsoft Brokering File System. Upon successful exploitation, an attacker could potentially gain the ability to crash the system by exploiting the use-after-free vulnerability.
- CVE-2025-21364 is a security feature bypass vulnerability in Microsoft Excel. Successful exploitation of the vulnerability may allow an attacker to bypass Office macro policies used to block untrusted or malicious files.
- CVE-2025-21365 is a remote code execution vulnerability in Microsoft Office. Successful exploitation of the vulnerability may allow an attacker to achieve remote code execution.
Microsoft Release Summary
This month’s release notes cover multiple Microsoft product families and products/versions affected, including, but not limited to, .NET, .NET Framework, Visual Studio; Visual Studio, Microsoft Office Access, Power Automate, Windows MapUrlToZone, Active Directory Federation Services, Windows Recovery Environment Agent, Windows Connected Devices Platform Service, Windows Virtual Trusted Platform Module, Windows Boot Loader, Windows BitLocker, Windows Boot Manager, Windows Mark of the Web (MOTW), Windows Message Queuing, Windows Telephony Service, Line Printer Daemon Service (LPD), Windows Digital Media, IP Helper, Windows PrintWorkflowUserSvc, Windows WLAN Auto Config Service, Windows Cloud Files Mini Filter Driver, Windows COM, Windows Event Tracing, Windows Direct Show, Active Directory Domain Services, Microsoft Digest Authentication, Windows SPNEGO Extended Negotiation, BranchCache, Windows OLE, Windows UPnP Device Host, Windows Geolocation Service, Windows DWM Core Library, Reliable Multicast Transport Driver (RMCAST), Windows Themes, Windows NTLM, Windows Smart Card, Windows Security Account Manager, Windows SmartScreen, Microsoft Brokering File System, Internet Explorer, Windows Hyper-V NT Kernel Integration VSP, Windows Cryptographic Services, Windows Win32K – GRFX, Windows Hello, Windows Web Threat Defense User Service, Microsoft Office SharePoint, Microsoft Office Visio, Microsoft Office, Microsoft Office Excel, Microsoft Office Outlook, Microsoft AutoUpdate (MAU), Microsoft Office Outlook for Mac, Microsoft Office Word, Windows Virtualization-Based Security (VBS) Enclave, Windows Client-Side Caching (CSC) Service, Azure Marketplace SaaS Resources, Microsoft Graphics Component, Microsoft Purview, Microsoft Office OneNote, and Microsoft Azure Gateway Manager.
EVALUATE Vendor-Suggested Mitigation with Policy Compliance (PC)
With Qualys Policy Compliance’s Out-of-the-Box Mitigation or Compensatory Controls reduce the risk of a vulnerability being exploited because the remediation (fix/Patch) cannot be done now. These security controls are not recommended by industry standards such as CIS, DISA-STIG.
Qualys Policy Compliance team releases these exclusive controls based on Vendor-suggested Mitigation/Workaround.
Mitigation refers to a setting, common configuration, or general best-practice existing in a default state that could reduce the severity of exploitation of a vulnerability.
A workaround is a method, sometimes used temporarily, for achieving a task or goal when the usual or planned method isn’t working. Information technology often uses a workaround to overcome hardware, programming, or communication problems. Once a problem is fixed, a workaround is usually abandoned.
The following Qualys Policy Compliance Control IDs (CIDs), and System Defined Controls (SDC) have been updated to support Microsoft recommended mitigation(s) for this Patch Tuesday:
CVE-2025-21311: Windows NTLM V1 Elevation of Privilege Vulnerability
This vulnerability has a CVSS: 3.1 9.8 / 8.5
Policy Compliance Control IDs (CIDs):
- 1387 Status of the ‘Network Security: LAN Manager Authentication Level’ setting
The following QQL will return a posture assessment for the CIDs for this Patch Tuesday:
control.id: [1387]
CVE-2025-21298: Windows OLE Remote Code Execution Vulnerability
This vulnerability has a CVSS: 3.1 9.8 / 8.5
Policy Compliance Control IDs (CIDs):
- 13815 Status of the ‘Read signed e-mail as plain text’ group policy setting
- 13818 Status of the ‘Read e-mail as plain text’ group policy setting
The following QQL will return a posture assessment for the CIDs for this Patch Tuesday:
control.id: [13815,13818]
CVE-2025-21307: Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability
This vulnerability has a CVSS: 3.1 9.8 / 8.5
Policy Compliance Control IDs (CIDs):
- 14916 Status of Windows Services
- 14297 Status of the open network connections and listening ports (Qualys Agent only)
- 4030 Status of the ‘Windows Message Queuing Service’
The following QQL will return a posture assessment for the CIDs for this Patch Tuesday:
control.id: [14916,14297,4030]
CVE-2025-21308: Windows Themes Spoofing Vulnerability
This vulnerability has a CVSS: 3.1 6.5 / 5.7
Policy Compliance Control IDs (CIDs):
- 8243 Configure ‘Network Security:Restrict NTLM: Outgoing NTLM traffic to remote servers’
- 8230 Configure ‘Network Security:Restrict NTLM: Add remote server exceptions for NTLM authentication’
The following QQL will return a posture assessment for the CIDs for this Patch Tuesday:
control.id: [8243,8230]
CVE-2025-21224: Windows Line Printer Daemon (LPD) Service Remote Code Execution Vulnerability
This vulnerability has a CVSS: 3.1 8.1 / 7.1
Policy Compliance Control IDs (CIDs):
- 14916 Status of Windows Services
The following QQL will return a posture assessment for the CIDs for this Patch Tuesday:
control.id: [14916]
The next Patch Tuesday falls on February 11, and we will be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to ‘This Month in Vulnerabilities and Patch’s webinar.’
Qualys Monthly Webinar Series
The Qualys Research team hosts a monthly webinar series to help our existing customers leverage the seamless integration between Qualys Vulnerability Management Detection Response (VMDR) and Qualys Patch Management. Combining these two solutions can reduce the median time to remediate critical vulnerabilities.
During the webcast, we will discuss this month’s high-impact vulnerabilities, including those that are a part of this month’s Patch Tuesday alert. We will walk you through the necessary steps to address the key vulnerabilities using Qualys VMDR and Qualys Patch Management.
Join the webinar
This Month in Vulnerabilities & Patches
