Microsoft has pushed out patches for 161 vulnerabilities – three listed as under attack in the wild – in the largest Patch Tuesday in five years.
Two others are listed as actively known; 11 are listed as critical.
The trio of vulnerabilities being exploited are in the Windows Hyper-V NT Kernel Integration Virtualization Service Provider (VSP). This manages resources and communication between a host system and guest VMs.
They have been allocated CVE-2025-21333, CVE-2025-21334, and CVE-2025-21335, and as usual, Microsoft has shared no details on the attackers or indicators of compromise. Successful attack gives SYSTEM.
(Saeed Abbasi, Manager, Vulnerability Research, Qualys Threat Research Unit, noted by email: “Usually, moving from guest to host/hypervisor indicates a CVSS scope change, but Microsoft’s current disclosure has not explicitly confirmed this, suggesting further details are needed; this could jeopardize the entire host infrastructure, not just the individual VM.)
Patch Tuesday, January 2025? OLE!
A critical (CVSS 9.8) bug in the ubiquitous Windows Object Linking and Embedding (OLE) component was also flagged by many late Tuesday.
CVE-2025-21298 can exploited remotely, with no privileges and no user interaction required. Microsoft flags it as “exploitation more likely”.
Dustin Childs of bug bounty programme the ZDI commented: “The specific flaw exists within the parsing of RTF files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. As a mitigation, you can set Outlook to read all standard mail as plain text, but users will likely revolt against such a setting. The best option is to test and deploy this patch quickly.”
Unexpected software showing up?
That’s the tip of a rather large Patch Tuesday iceberg and, as Tyler Reguly, Security R&D at global cybersecurity software and services provider Fortra put it: “This is definitely one of those months where admins need to step back, take a deep breath, and determine their plan of attack.
He added in an emailed comment: “While a large number of these vulnerabilities will be resolved by the Windows cumulative update, there is a plethora of other software impacted including a number of Office products (Word, Excel, Access, Outlook, Visio, and SharePoint) as well as other Microsoft products like .NET, .NET Framework, and Visual Studio.
“A couple of pieces of software that admins may not be expecting to see show up this month. Their appearance in the Microsoft release notes is so rare, that admins may not even know everywhere that they are installed. This includes the On-Premises Data Gateway for PowerBI as well as Power Automate for Desktop. This is a great time to check your asset inventory software and determine if and where you are affected…”
