Microsoft’s January Patch Tuesday: 159 Vulnerabilities Fixed, Including Active Exploits
On January 10, Microsoft rolled out an extensive set of security updates as part of Patch Tuesday, fixing 159 vulnerabilities across a range of applications and services. This is one of the largest updates in recent memory, addressing more than double the usual number of flaws. Among the patched vulnerabilities, three are already being exploited in the wild, and five were publicly disclosed before the update.
Security Flaws in Windows Out of the 159 vulnerabilities, 132 are found in Windows 10, Windows 11, and Windows Server versions still supported by Microsoft. While older systems like Windows 7 and Windows 8.1 are no longer included in the security reports, Microsoft warns users of these older systems to upgrade to a supported version to ensure continued security updates.
Exploited Windows Vulnerabilities Microsoft confirmed that three vulnerabilities in Hyper-V (CVE-2025-21333, CVE-2025-21334, and CVE-2025-21335) are being actively exploited. These flaws allow attackers to run code from a guest machine with elevated privileges on the host system. The full scale of these attacks remains unknown. In addition, eight critical vulnerabilities were fixed, including a high-risk Windows OLE vulnerability (CVE-2025-21298), which can be exploited via Outlook if a malicious email is opened.
Microsoft Office Fixes The January update also addressed 20 vulnerabilities in Microsoft Office, many involving Remote Code Execution (RCE) in applications like Word, Excel, Outlook, and OneNote. Three vulnerabilities in Access are zero-days, meaning they were known to be actively exploited prior to the patch.
Edge Browser Update An update for Microsoft Edge was also included in this round of patches, bringing the browser to version 131.0.2903.146. Although the update is available in the update catalog, Microsoft has not yet provided further details regarding the update.
For administrators managing corporate networks, Dustin Childs offers an in-depth analysis of the vulnerabilities on the Zero Day Initiative blog.
The next regular Patch Tuesday update will occur on February 11, 2025, bringing more security fixes for Microsoft products.