Head Nerds
Gestion des mises à jour
Sécurité

Patch Tuesday January 2025: Three Hyper-V Zero-days and New Outlook in Windows 10

The January 2025 updates from Microsoft brings fixes for a large number of vulnerabilities, including three zero-day vulnerabilities that are Under Active Exploitation that affect Windows Hyper-V, and five more Publicly Disclosed zero-days that are marked as Exploitation Less Likely, but should still receive attention via mitigation through patching and additional mitigation measures. Microsoft is also forcing New Outlook to Windows 10 devices enrolled in preview updates, which will require the attention of MSPs that don’t want to see their helpdesk queues backup with user complaints about unfamiliarity with a new version of Outlook suddenly appearing.

Microsoft Vulnerabilities

A total of 159 vulnerabilities were addressed with fixes for January’s Patch Tuesday, including the above zero-days, as well as fixes that improve Windows 10 22H2 and Windows 10 21H2 resiliency against Bring Your Own Vulnerable Driver (BYOVD) attacks. On top of this, there are also fixes for 17 vulnerabilities marked as Exploitation More Likely, so you will need to make sure you factor these into your planning for this month’s patching. As always make sure you consider temporal elements such as likelihood of exploitation to ensure proper risk management.

CVE-2025-21333, CVE-2025-21334, and CVE-2025-21335 are the three zero-days Under Active Exploitation that all involve Windows Hyper-V. They are all privilege escalation vulnerabilities and are of note for IT admins and MSPs as these vulnerabilities don’t affect just servers running the Hyper-V role, they also affect Windows 10 and Windows 11. Hyper-V has become the modern Windows OS equivalent of Internet Explorer; deeply embedded in systems and used for things you would never expect it to be a part of, and that keeps poking it’s head up where you least expect it in vulnerability reports. As zero-days Under Exploitation and with a wide install base of affected Windows 10 and Windows 11 devices, you should put these at the top of your priority list.

CVE-2025-21186, and CVE-2025-21366 is a remote code execution vulnerability affecting Microsoft Office 2016, 2019, 2021, 2024, Microsoft 365 Apps and Microsoft Access 2016 through the use of modified Microsoft Access documents. Microsoft guidance to address these vulnerabilities is to apply security updates through normal patching and Microsoft Office’s Click to Run update mechanism. In addition, you may consider adding the following file extensions to your email filter solution to reduce chances for exposure, and to gain some breathing room to ensure all affected devices are updated:

  • *.accdb
  • *.accde
  • *.accdw
  • *.accdt
  • *.accda
  • *.accdr
  • *.accdu

Preview Update KB5050081

Also of interest this month is the preview update KB5050081 as it should act as an early warning for IT admins and MSPs that still have Windows 10 devices in your fleets. This preview update forces an installation of the new Outlook for Windows app. If you have seen the “Try the new Outlook” button in Outlook then you’ve already been exposed to the upcoming change. If you’re not ready to migrate your fleet to the new Outlook you can find guidance from Microsoft on how to block the change until you’re ready. Since the preview update is forcing the change then it’s reasonable to expect that February’s CU may also include this behavior. If you are not fond of the idea of having a ton of helpdesk request coming in for training and ‘fix my broken Outlook’, then getting messaging and action plans together before hand might save some end-user frustration.

Microsoft Patch Tuesday Vulnerability Prioritization

Addressing vulnerabilities effectively requires a mix of adhering to established best practices and leveraging informed judgment. While it’s a natural instinct to rank vulnerabilities with critical severity ratings higher on the list of things that need to be addressed, relying on severity ratings alone can be limiting. An often-overlooked component is temporal metrics, which provide a measure of the window of vulnerability—the time from initial vulnerability discovery to the availability and application of the patch. This is essential as the longer a vulnerability exists without a fix, the greater the potential for exploitation. By integrating temporal metrics into the risk evaluation process, organizations can gain a more comprehensive understanding of the threat landscape and potential attack vectors, ensuring that they don’t leave themselves open to unnecessary risks.

Table Key: Severity: C = Critical, I = Important, M = Moderate, R = Re-issue; Status: EML = Exploitation More Likely, ELL = Exploitation Less Likely, ED = Exploitation Detected, EU = Exploitation Unlikely, N/A = Not Available

CVE Number

 

CVE Title

 

Severity

 

Status

CVE-2025-21292 Windows Search Service Elevation of Privilege Vulnerability I EML
CVE-2025-21189 MapUrlToZone Security Feature Bypass Vulnerability I EML
CVE-2025-21328 MapUrlToZone Security Feature Bypass Vulnerability I EML
CVE-2025-21329 MapUrlToZone Security Feature Bypass Vulnerability I EML
CVE-2025-21219 MapUrlToZone Security Feature Bypass Vulnerability I EML
CVE-2025-21365 Microsoft Office Remote Code Execution Vulnerability I EML
CVE-2025-21364 Microsoft Excel Security Feature Bypass Vulnerability I EML
CVE-2025-21362 Microsoft Excel Remote Code Execution Vulnerability C EML
CVE-2025-21354 Microsoft Excel Remote Code Execution Vulnerability C EML
CVE-2025-21315 Microsoft Brokering File System Elevation of Privilege Vulnerability I EML
CVE-2025-21314 Windows SmartScreen Spoofing Vulnerability I EML
CVE-2025-21309 Windows Remote Desktop Services Remote Code Execution Vulnerability C EML
CVE-2025-21299 Windows Kerberos Security Feature Bypass Vulnerability I EML
CVE-2025-21298 Windows OLE Remote Code Execution Vulnerability C EML
CVE-2025-21269 Windows HTML Platforms Security Feature Bypass Vulnerability I EML
CVE-2025-21268 MapUrlToZone Security Feature Bypass Vulnerability I EML
CVE-2025-21210 Windows BitLocker Information Disclosure Vulnerability I EML
CVE-2025-21311 Windows NTLM V1 Elevation of Privilege Vulnerability C ELL
CVE-2025-21307 Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability C ELL
CVE-2025-21297 Windows Remote Desktop Services Remote Code Execution Vulnerability C ELL
CVE-2025-21296 BranchCache Remote Code Execution Vulnerability C ELL
CVE-2025-21295 SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Remote Code Execution Vulnerability C ELL
CVE-2025-21294 Microsoft Digest Authentication Remote Code Execution Vulnerability C ELL
CVE-2024-49120 Windows Remote Desktop Services Remote Code Execution Vulnerability C ELL
CVE-2025-21334 Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability I ED
CVE-2025-21333 Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability I ED
CVE-2025-21335 Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability I ED

Summary

As always make sure you have established patching processes for evaluation, testing and pushing into production. If you have traditionally only dealt with patches by applying them based on their severity consider including prioritization of patches for Zero-Days, Exploitation Detected and Exploitation More Likely vulnerabilities in your Patch Management routines.

Looking for more blogs on patching, or looking for previous Microsoft Patch Tuesday Reviews, then check out the Patch Management section of our blog.

Lewis Pope is the Head Security Nerd at N‑able. You can follow him on Twitter: @cybersec_nerd

LinkedIn: thesecuritypope

Twitch: cybersec_nerd  

© N‑able Solutions ULC and N‑able Technologies Ltd. All rights reserved.

This document is provided for informational purposes only and should not be relied upon as legal advice. N‑able makes no warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information contained herein.

The N-ABLE, N-CENTRAL, and other N‑able trademarks and logos are the exclusive property of N‑able Solutions ULC and N‑able Technologies Ltd. and may be common law marks, are registered, or are pending registration with the U.S. Patent and Trademark Office and with other countries. All other trademarks mentioned herein are used for identification purposes only and are trademarks (and may be registered trademarks) of their respective companies.