8 zero days, 159 security vulnerabilities fixed in Microsoft’s January 2025 Patch Tuesday

Microsoft’s January 2025 Patch Tuesday includes fixes for 159 security vulnerabilities, among them eight zero-day flaws, three of which are actively exploited.

Twelve of the patched flaws are deemed "Critical," addressing remote code execution, privilege escalation, and information disclosure risks. The update covers 40 privilege escalation flaws, 58 remote code execution issues, and 24 information disclosure vulnerabilities. Three actively exploited zero-day flaws (CVE-2025-21333, CVE-2025-21334, CVE-2025-21335) relate to Windows Hyper-V and allow attackers to gain system privilege.

Another zero day (CVE-2025-21275) affects the Windows App Package Installer and could grant attackers elevated privileges. Additionally, a Windows Themes spoofing flaw (CVE-2025-21308) allows credential theft via malicious theme files. Microsoft also patched three Microsoft Access vulnerabilities that could be exploited via specially crafted documents, blocking certain file types sent via email.