By Satnam Narang, Sr. Staff Research Engineer, Tenable
Microsoft patched a whopping 157 CVEs in its inaugural Patch Tuesday for 2025. Not only is this the largest number of CVEs patched in January, it is the largest number of CVEs patched across any Patch Tuesday release since 2017. Microsoft set a record in April 2024, patching 147 CVEs. Since 2017, the average number of CVEs patched in January was 60. Prior to 2025, the largest January Patch Tuesday release was 2023, which saw Microsoft patch 98 CVEs. In 2024, Microsoft opened the year with 48 CVEs patched.
“This month, there were eight zero-days, including three that were exploited and five that were publicly disclosed ahead of Patch Tuesday.
“The three zero-day vulnerabilities exploited in the wild (CVE-2025-21333, CVE-2025-21334 and CVE-2025-21335) exist within a component of the Windows Hyper-V’s NT Kernel that manages communication between virtual machines and the host operating system.
“Little is known about the in-the-wild exploitation of these flaws. As elevation of privilege bugs, they’re being used as part of post-compromise activity, where an attacker has already accessed a target system. It’s kind of like if an attacker is able to enter a secure building, they’re unable to access more secure parts of the facility because they have to prove that they have clearance. In this case, they’re able to trick the system into believing they should have clearance.
“More often than not, we see a lot of elevation of privilege bugs exploited in the wild as zero-days in Patch Tuesday because it’s not always initial access to a system that’s a challenge for attackers as they have various avenues in their pursuit. The greater challenge is being able to obtain more privileged access once they’ve gained initial system access. Patch Tuesday releases from 2023 and 2024 included 45 zero days exploited in the wild. Elevation of privilege flaws took the crown each year, accounting for 19 in total–or 42%.
“Microsoft also patched three vulnerabilities in Microsoft Access, identified as CVE-2025-21186, CVE-2025-21366, and CVE-2025-21395. These are remote code execution bugs that are exploitable if an attacker convinces a target to download and run a malicious file through social engineering. What makes these vulnerabilities most interesting is that they were reportedly discovered using AI, as they are credited to a platform called Unpatched.ai. Unpatched.ai was also credited with discovering a flaw in the December 2024 Patch Tuesday release (CVE-2024-49142). Automated vulnerability detection using AI has garnered a lot of attention recently, so it’s noteworthy to see this service being credited with finding bugs in Microsoft products. It may be the first of many in 2025.”
