Administrators hoping for an easy start to the year will be disappointed to learn Microsoft has issued patches for 159 CVEs.
The first Patch Tuesday of 2025 will be a doozy for those charged with testing and deploying security updates. The patch dump is the largest from Microsoft in over half a decade.
“This is the largest number of CVEs addressed in any single month since at least 2017 and is more than double the usual amount of CVEs fixed in January,” said Dustin Childs of the Zero Day Initiative.
“This comes on the heels of a record number of December patches and could be an ominous sign for patch levels in 2025. It will be interesting to see how this year shapes up.”
If there is some good news to be had from the hefty Patch Tuesday, it is that only 11 are rated as critical security flaws, and none of those 11 are being publicly exploited at this time.
That usually changes within 24 hours, as “Patch Tuesday” often brings about “Exploit Wednesday," when newly disclosed flaws come under active attack. Because of this, it is highly recommended that network defenders test and deploy updates as soon as possible.
Other than the 11 critical flaws, there are 148 CVE-listed vulnerabilities that Microsoft rated as important, including three that are under active exploit.
CVE-2025-21333, CVE-2025-21334, and CVE-2025-21335 are all currently targeted for elevation of privilege attacks. In each case, threat actors are targeting the Windows Hyper-V NT Kernel Integration component to elevate from restricted users to administrator access.
Childs argued that the three bugs could end up being more severe than their “important” classification would suggest, as they allow the threat actor to obtain system-level authorization on the target machine.
“Although not specified, I would think that if the attacker were executing code at SYSTEM on the hypervisor from a guest, the CVSS would indicate a scope change,” the researcher explained.
“Microsoft doesn’t list that, but I’ve disagreed with their CVSS ratings in the past.”
Meanwhile, the “critical” flaws were spread across various Microsoft services, including Azure Marketplace (CVE-2025-21380), Visual Studio (CVE-2025-21178) and Windows Remote Desktop Services (CVE-2025-21297).
Adobe also released its own set of patches on Tuesday, addressing a total of 14 CVE-listed flaws in Photoshop, Substance 3D Stager, Illustrator on iPad, Animate, and Substance 3D Designer. Of those, five were listed as critical allowing for remote code execution, though none of the flaws are currently being actively targeted.
As with the Microsoft updates, administrators would be well-advised to test and deploy the Adobe updates as soon as possible.
