Microsoft has released updates resolving 159 unique CVEs for January. Among the lineup are three zero-day exploits and five publicly disclosed vulnerabilities. The exploited CVEs are all targeting Windows Hyper-V NT Kernel Integration VSP, making the OS update this month your most urgent priority. The public disclosures impact Windows Themes, Windows App Package Installer and three CVEs for Microsoft Access. There are 10 CVEs rated Critical affecting the components of the Windows OS and Microsoft Excel.

Microsoft exploited vulnerabilities

Microsoft has resolved three Elevation of Privilege vulnerabilities in Windows Hyper-V NT Kernel Integration VSP (CVE-2025-21333, CVE-2025-21334 and CVE-2025-21335). All three vulnerabilities are rated Important and each has a CVSSv3.1 score of 7.8. These vulnerabilities affect Microsoft Windows versions 10, 11 and Server 2025. Microsoft is aware of exploitation of these vulnerabilities. Risk-based prioritization warrants treating these vulnerabilities as Critical.

Microsoft publicly disclosed vulnerabilities

Microsoft has resolved a Spoofing Vulnerability in Windows Themes (CVE-2025-21308). The vulnerability is rated Important and has a CVSSv3.1 score of 6.5. The vulnerability affects Windows 10 and 11 as well as Server 2012 up to Server 2025. The CVE has been publicly disclosed, increasing the risk of exploitation. There are mitigations that could reduce the risk of this vulnerability or future security risks. For more details, refer to the Mitigations section of the CVE page.

Microsoft has resolved an Elevation of Privilege vulnerability in Windows App Package Installer (CVE-2025-21275). The vulnerability is rated Important and has a CVSSv3.1 score of 7.8. The vulnerability affects Microsoft Windows versions 10, 11, and Server 2025. If exploited, an attacker could gain SYSTEM level privileges. The CVE has been publicly disclosed, increasing the risk of exploitation.

Microsoft has resolved three Remote Code Execution vulnerabilities in Microsoft Access (CVE-2025-21186, CVE-2025-21395 and CVE-2025-21366). All three vulnerabilities are rated Important and each has a CVSSv3.1 score of 7.8. The vulnerabilities affect Microsoft Office 2019, Access 2016, Office LTSC 2021 and 2024 and Microsoft 365 Apps. The CVEs have been publicly disclosed, increasing the risk of exploitation.

Third-party vulnerabilities

Oracle’s Quarterly CPU is scheduled to release on January 21, so be prepared for updates for Oracle solutions, including Java. Once the Java release is out, expect all of the Java-based frameworks to update over the next few weeks.

Adobe has released updates for Photoshop, Substance 3D Stager, Illustrator on iPad, Animate and Substance 3D Designer, resolving a total of 14 CVEs. All of the CVEs resolved are rated as Critical, but no exploitation or disclosures have been reported.

Expect Google Chrome’s weekly security update today or tomorrow along with an update for Microsoft Edge shortly after.

Ivanti security advisory

Ivanti has released three product updates resolving 20 CVEs. The affected products include Ivanti Avalanche, Ivanti Application Control Engine and Ivanti Endpoint Manager. Ivanti is not aware of any exploitation or public disclosures for the 20 resolved CVEs. For more information, see the January Patch Tuesday Security Advisory page.

January update priorities:

  • Microsoft Windows is the top priority this month, with three known exploited CVEs, two publicly disclosed vulnerabilities resolved and eight Critical CVEs.
  • Microsoft Office is next in priority from a risk-based perspective. The update this month resolved three publicly disclosed CVEs in Access and two Critical CVEs in Excel. The two Excel CVEs could use the Preview Pane as an attack vector, making them ideal targets for threat actors.
  • Ensure your browsers are all up to date. Mozilla released last week and Google Chrome and Microsoft Edge update weekly with security fixes.