It's that time of the month already, Microsoft's first Patch Tuesday updates of 2025 have been released.
This month, the update addresses 159 security vulnerabilities, including eight zero-day flaws—three of which are now actively being exploited in the wild.
Fixes for 12 "Critical" vulnerabilities that span information disclosure, privilege escalation, and remote code execution categories have also been highlighted.
A Breakdown of Vulnerability Categories
The vulnerabilities fixed in this release fall into the following categories:
- 40 Elevation of Privilege Vulnerabilities
- 14 Security Feature Bypass Vulnerabilities
- 58 Remote Code Execution Vulnerabilities
- 24 Information Disclosure Vulnerabilities
- 20 Denial of Service Vulnerabilities
- 5 Spoofing Vulnerabilities
Zero-Days in Focus: Active Exploits and Public Disclosures
This update addresses three actively exploited zero-day vulnerabilities and five additional zero-days that have been publicly disclosed. According to Microsoft, zero-day vulnerabilities are those that are either publicly known or actively exploited before an official patch is available.
Actively Exploited Zero-Day Vulnerabilities
- CVE-2025-21333, CVE-2025-21334, CVE-2025-21335
These elevation of privilege vulnerabilities in Windows Hyper-V allow attackers to gain SYSTEM privileges on affected devices. While details of the exploitation methods remain undisclosed, the vulnerabilities appear to be related and may have been uncovered through the same attack vector. All three vulnerabilities were reported anonymously.
Publicly Disclosed Zero-Days
- CVE-2025-21275: Windows App Package Installer Privilege Escalation
Exploiting this flaw could allow attackers to achieve SYSTEM privileges. The issue was submitted anonymously and underscores the risks associated with privilege escalation flaws.
- CVE-2025-21308: Windows Themes Spoofing Vulnerability
This spoofing vulnerability could be triggered by displaying a specially crafted Windows Theme file in Windows Explorer. Attackers could exploit this by enticing users to interact with a malicious file, potentially leaking NTLM credentials. Blaz Satler from ACROS Security identified this flaw as a bypass of a previous vulnerability (CVE-2024-38030). Microsoft suggests mitigating the risk by disabling NTLM or enforcing specific NTLM traffic restrictions.
- CVE-2025-21186, CVE-2025-21366, CVE-2025-21395: Microsoft Access Remote Code Execution
These vulnerabilities involve malicious Microsoft Access documents, which could trigger remote code execution. Microsoft has mitigated this risk by blocking certain file types (e.g., .accdb, .accde) when sent via email. Notably, these vulnerabilities were discovered by Unpatched.ai, an AI-driven platform.
Updates from Other Vendors
Several other vendors released important security updates this month, further emphasising the need for organisations to maintain a proactive approach to cyber security:
- Adobe: Updates for Photoshop, Substance3D, Illustrator for iPad, and Animate.
- Cisco: Fixes for products like ThousandEyes Endpoint Agent and Crosswork Network Controller.
- Ivanti: Patched a zero-day in Connect Secure used in malware attacks.
- Fortinet: Resolved an authentication bypass zero-day in FortiOS and FortiProxy.
- GitHub: Addressed vulnerabilities in Git.
- Moxa: Fixed critical flaws in industrial networking devices.
- SAP: Released patches for critical vulnerabilities in SAP NetWeaver.
- SonicWall: Resolved an authentication bypass in SSL VPN and SSH management interfaces.
- Zyxel: Addressed a privilege management flaw in its web management interface.
Strengthen Your Security Posture
This month’s Patch Tuesday update, as always, highlights the importance of making sure that systems are kept updated to minimise exposure to vulnerabilities, particularly those actively exploited.
For a comprehensive list of resolved vulnerabilities and affected systems, view the full Patch Tuesday report here.