The January 2025 updates from Microsoft brings fixes for a large number of vulnerabilities, including three zero-day vulnerabilities that are Under Active Exploitation that affect Windows Hyper-V, and five more Publicly Disclosed zero-days that are marked as Exploitation Less Likely, but should still receive attention via mitigation through patching and additional mitigation measures. Microsoft is also forcing New Outlook to Windows 10 devices enrolled in preview updates, which will require the attention of MSPs that don’t want to see their helpdesk queues backup with user complaints about unfamiliarity with a new version of Outlook suddenly appearing.

Microsoft Vulnerabilities

A total of 159 vulnerabilities were addressed with fixes for January’s Patch Tuesday, including the above zero-days, as well as fixes that improve Windows 10 22H2 and Windows 10 21H2 resiliency against Bring Your Own Vulnerable Driver (BYOVD) attacks. On top of this, there are also fixes for 17 vulnerabilities marked as Exploitation More Likely, so you will need to make sure you factor these into your planning for this month’s patching. As always make sure you consider temporal elements such as likelihood of exploitation to ensure proper risk management.

CVE-2025-21333, CVE-2025-21334, and CVE-2025-21335 are the three zero-days Under Active Exploitation that all involve Windows Hyper-V. They are all privilege escalation vulnerabilities and are of note for IT admins and MSPs as these vulnerabilities don’t affect just servers running the Hyper-V role, they also affect Windows 10 and Windows 11. Hyper-V has become the modern Windows OS equivalent of Internet Explorer; deeply embedded in systems and used for things you would never expect it to be a part of, and that keeps poking it’s head up where you least expect it in vulnerability reports. As zero-days Under Exploitation and with a wide install base of affected Windows 10 and Windows 11 devices, you should put these at the top of your priority list.

CVE-2025-21186, and CVE-2025-21366 is a remote code execution vulnerability affecting Microsoft Office 2016, 2019, 2021, 2024, Microsoft 365 Apps and Microsoft Access 2016 through the use of modified Microsoft Access documents. Microsoft guidance to address these vulnerabilities is to apply security updates through normal patching and Microsoft Office’s Click to Run update mechanism. In addition, you may consider adding the following file extensions to your email filter solution to reduce chances for exposure, and to gain some breathing room to ensure all affected devices are updated:

• *.accdb
• *.accde
• *.accdw
• *.accdt
• *.accda
• *.accdr
• *.accdu

Preview Update KB5050081

Also of interest this month is the preview update KB5050081 as it should act as an early warning for IT admins and MSPs that still have Windows 10 devices in your fleets. This preview update forces an installation of the new Outlook for Windows app. If you have seen the “Try the new Outlook” button in Outlook then you’ve already been exposed to the upcoming change. If you’re not ready to migrate your fleet to the new Outlook you can find guidance from Microsoft on how to block the change until you’re ready. Since the preview update is forcing the change then it’s reasonable to expect that February’s CU may also include this behavior. If you are not fond of the idea of having a ton of helpdesk request coming in for training and ‘fix my broken Outlook’, then getting messaging and action plans together before hand might save some end-user frustration.

Microsoft Patch Tuesday Vulnerability Prioritization

Addressing vulnerabilities effectively requires a mix of adhering to established best practices and leveraging informed judgment. While it’s a natural instinct to rank vulnerabilities with critical severity ratings higher on the list of things that need to be addressed, relying on severity ratings alone can be limiting. An often-overlooked component is temporal metrics, which provide a measure of the window of vulnerability—the time from initial vulnerability discovery to the availability and application of the patch. This is essential as the longer a vulnerability exists without a fix, the greater the potential for exploitation. By integrating temporal metrics into the risk evaluation process, organizations can gain a more comprehensive understanding of the threat landscape and potential attack vectors, ensuring that they don’t leave themselves open to unnecessary risks.

Table Key: Severity: C = Critical, I = Important, M = Moderate, R = Re-issue; Status: EML = Exploitation More Likely, ELL = Exploitation Less Likely, ED = Exploitation Detected, EU = Exploitation Unlikely, N/A = Not Available

Summary

As always make sure you have established patching processes for evaluation, testing and pushing into production. If you have traditionally only dealt with patches by applying them based on their severity consider including prioritization of patches for Zero-Days, Exploitation Detected and Exploitation More Likely vulnerabilities in your Patch Management routines.

Looking for more blogs on patching, or looking for previous Microsoft Patch Tuesday Reviews, then check out the Patch Management section of our blog.

Lewis Pope is the Head Security Nerd at N‑able. You can follow him on Twitter: @cybersec_nerd

LinkedIn: thesecuritypope

Twitch: cybersec_nerd