Microsoft patches record 157 vulnerabilities in January 2025

Microsoft has addressed 157 Common Vulnerabilities and Exposures (CVEs) in its first Patch Tuesday update for 2025, marking the highest tally for any January since 2017 and breaking its previous record set in April 2024.

The significant increase comes as Microsoft had previously patched 98 CVEs in January 2023 and 48 in January 2024, with the ongoing trend averaging around 60 CVEs per January patch since 2017.

This month's update includes eight zero-day vulnerabilities, of which three have been actively exploited. These specific vulnerabilities (CVE-2025-21333, CVE-2025-21334, and CVE-2025-21335) are related to the Windows Hyper-V's NT Kernel, particularly affecting the communication between virtual machines and the host operating system.

Satnam Narang, Senior Staff Research Engineer at Tenable, commented on the nature of these vulnerabilities: "Little is known about the in-the-wild exploitation of these flaws. As elevation of privilege bugs, they're being used as part of post-compromise activity, where an attacker has already accessed a target system. It's kind of like if an attacker is able to enter a secure building, they're unable to access more secure parts of the facility because they have to prove that they have clearance. In this case, they're able to trick the system into believing they should have clearance."

Narang further illustrated the ongoing challenge posed by elevation of privilege vulnerabilities, stating, "More often than not, we see a lot of elevation of privilege bugs exploited in the wild as zero-days in Patch Tuesday because it's not always initial access to a system that's a challenge for attackers as they have various avenues in their pursuit. The greater challenge is being able to obtain more privileged access once they've gained initial system access."

The January 2025 update also sees the continuation of a trend where elevation of privilege flaws are prominently featured. Over 2023 and 2024, 45 zero-day exploits were recorded, with 19 of these being elevation of privilege vulnerabilities, making up 42% of the total.

Additionally, Microsoft addressed three vulnerabilities within Microsoft Access, known as CVE-2025-21186, CVE-2025-21366, and CVE-2025-21395. These remote code execution vulnerabilities can be triggered if an attacker persuades a target to download and execute a malicious file through social engineering tactics.

Narang noted the use of artificial intelligence in the discovery of these vulnerabilities, stating, "What makes these vulnerabilities most interesting is that they were reportedly discovered using AI, as they are credited to a platform called Unpatched.ai. Unpatched.ai was also credited with discovering a flaw in the December 2024 Patch Tuesday release (CVE-2024-49142). Automated vulnerability detection using AI has garnered a lot of attention recently, so it's noteworthy to see this service being credited with finding bugs in Microsoft products. It may be the first of many in 2025."

Microsoft's latest patch cycle reflects both the rising complexity of cyber threats and the evolving methods of vulnerability detection. The involvement of AI in identifying vulnerabilities highlights a potential shift in proactive cybersecurity measures for the coming years.