Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

Microsoft's Patch Tuesday: Addressing Five Zero-Day Vulnerabilities and Resolving 159 Flaws


Microsoft has released security patches for 159 total flaws, including eight zero-day vulnerabilities, as part of its January 2025 Patch Tuesday update.

  • MICROSOFT HAS RELEASED SECURITY PATCHES FOR 159 TOTAL FLAWS
  • THERE ARE EIGHT ZERO-DAY VULNERABILITIES Addressed by Microsoft, including three actively exploited flaws.
  • The five zero-day vulnerabilities are:
  • 1. CVE-2025-21333 - Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability
  • 2. CVE-2025-21334 - Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability (anonymously submitted exploit)
  • 3. CVE-2025-21335 - Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability (anonymously submitted exploit)
  • 4. CVE-2025-21275 - Windows App Package Installer Elevation of Privilege Vulnerability
  • 5. CVE-2025-21308 - Windows Themes Spoofing Vulnerability
  • SEVERAL OTHER VULNERABILITIES HAVE BEEN Addressed BY MICROSOFTE, INCLUDING Remote Code Execution (RCE) flaws, Information Disclosure Vulnerabilities, Elevation of Privilege Vulnerabilities, Denial of Service (DoS) Flaws, and Spoofing Vulnerabilities.



    • In a recent update, Microsoft has acknowledged and addressed five zero-day vulnerabilities, including three actively exploited flaws. These updates were part of the company's January 2025 Patch Tuesday, which saw the release of security patches for 159 total flaws, with eight of those being zero-day vulnerabilities.

    The first zero-day vulnerability to be addressed was CVE-2025-21333, which is a Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability. This flaw allowed attackers to gain SYSTEM privileges on Windows devices by exploiting it in attacks. Microsoft has stated that the exploit for this flaw was submitted anonymously, and no further information about how these flaws were exploited is available.

    The second zero-day vulnerability addressed was CVE-2025-21334, which is also a Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability. This flaw allowed attackers to gain SYSTEM privileges on Windows devices by exploiting it in attacks. Like the first flaw, Microsoft has stated that the exploit for this flaw was submitted anonymously.

    The third zero-day vulnerability addressed was CVE-2025-21335, which is a Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability. This flaw allowed attackers to gain SYSTEM privileges on Windows devices by exploiting it in attacks. Like the first two flaws, Microsoft has stated that the exploit for this flaw was submitted anonymously.

    In addition to these zero-day vulnerabilities, Microsoft has also addressed five publicly disclosed zero-days, including CVE-2025-21275, which is a Windows App Package Installer Elevation of Privilege Vulnerability. This flaw allowed attackers to gain SYSTEM privileges on Windows devices by exploiting it in attacks. Microsoft fixed this vulnerability by mitigating the issue and blocking access to specific types of Microsoft Access documents.

    CVE-2025-21308 was another publicly disclosed zero-day addressed by Microsoft, which is a Windows Themes Spoofing Vulnerability. This flaw allowed attackers to gain SYSTEM privileges on Windows devices by exploiting it in attacks. Microsoft fixed this vulnerability by mitigating the issue and disabling NTLM for remote servers or enabling the "Restrict NTLM: Outgoing NTLM traffic to remote servers" policy.

    Microsoft has also addressed several other vulnerabilities, including Remote Code Execution (RCE) flaws, Information Disclosure Vulnerabilities, Elevation of Privilege Vulnerabilities, Denial of Service (DoS) Flaws, and Spoofing Vulnerabilities. Some of these updates address critical vulnerabilities that could allow attackers to gain SYSTEM privileges on Windows devices.

    In addition to addressing zero-day vulnerabilities, Microsoft has also released security updates for other products, including Cisco ThousandEyes Endpoint Agent, Cisco Crosswork Network Controller, Ivanti Connect Secure, Fortinet FortiOS and FortiProxy, GitHub Git, Moxa industrial networking and communications devices, ProjectDiscovery Nuclei flaw, SAP NetWeaver, SonicWall SSL VPN and SSH management, Zyxel web management interface.

    The January 2025 Patch Tuesday update has fixed a total of twelve critical vulnerabilities, including information disclosure, privileges elevation, and remote code execution flaws. These updates have mitigated the risks associated with these vulnerabilities and are available for download from Microsoft's official website.

    In conclusion, the January 2025 Patch Tuesday update addresses five zero-day vulnerabilities and resolves 159 flaws across various Microsoft products. These updates demonstrate Microsoft's commitment to protecting its users' systems from emerging threats and vulnerabilities.

    Microsoft has released security patches for 159 total flaws, including eight zero-day vulnerabilities, as part of its January 2025 Patch Tuesday update.



    Related Information:

  • https://www.bleepingcomputer.com/news/microsoft/microsoft-january-2025-patch-tuesday-fixes-8-zero-days-159-flaws/

  • https://nvd.nist.gov/vuln/detail/CVE-2025-21333

  • https://www.cvedetails.com/cve/CVE-2025-21333/

  • https://nvd.nist.gov/vuln/detail/CVE-2025-21334

  • https://www.cvedetails.com/cve/CVE-2025-21334/

  • https://nvd.nist.gov/vuln/detail/CVE-2025-21335

  • https://www.cvedetails.com/cve/CVE-2025-21335/

  • https://nvd.nist.gov/vuln/detail/CVE-2025-21275

  • https://www.cvedetails.com/cve/CVE-2025-21275/

  • https://nvd.nist.gov/vuln/detail/CVE-2025-21308

  • https://www.cvedetails.com/cve/CVE-2025-21308/


    • Published: Tue Jan 14 17:17:46 2025 by llama3.2 3B Q4_K_M


         


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us