Patch Tuesday The first Patch Tuesday of 2025 has seen Microsoft address three under-attack privilege-escalation flaws in its Hyper-V hypervisor, plus plenty more problems that deserve your attention.

The Hyper-V vulnerabilities are CVE-2025-21333, CVE-2025-21334, and CVE-2025-21335, and were already being exploited in the wild as zero-days. They are rated important in terms of severity, score 7.8 out of 10 on the CVSS scale, and involve abusing memory-safety bugs: Two use-after-free, and one heap buffer overflow.

That’s scary because they can allow an attacker to gain SYSTEM privileges – the ultimate position of power on a Windows box. That said, the vulnerabilities are not billed as guest escapes, and instead we’re told they simply allow a rogue user or malware already on a machine to gain top privileges. Whatever the problem is, it’s present in Windows 10 and 11, plus Windows Server’s 2022 and 2025 releases.

Microsoft has not detailed the extent nor nature of the in-the-wild exploitation.

Redmond’s patch drop also contains three fixes for flaws rated 9.8 out of 10, and therefore considered critical.

The first, CVE-2025-21311, is another elevation-of-privilege flaw, this time in the NTMLv1 authentication system, and can be exploited remotely. While a patch is available, Redmond added a mitigation strategy: Set LmCompatibilityLevel to its maximum value (5). This blocks NTLMv1 while still allowing NTLM2 to function.

The other two flaws can both facilitate remote code execution. Possibly the more serious issue is in the Windows Object Linking and Embedding (OLE) framework, CVE-2025-21298. Exploitation of this bug may involve a user opening a specially crafted Outlook email. The problem affects Windows 10 and 11, and all supported versions of Windows Server from 2016 onward.

The other 9.8-rated issue, CVE-2025-21307, requires a target to have at least one program actively listening on a Windows Pragmatic General Multicast (PGM) port, PGM being a networking component that allows simultaneous distribution of data to multiple recipients. Microsoft warns that “an unauthenticated attacker could exploit the vulnerability by sending specially crafted packets to a Windows Pragmatic General Multicast open socket on the server, without any interaction from the user.” Those poisoned packets could lead to arbitrary code execution on that remote target. Microsoft hasn’t, understandably, said how that happens.

This is a good news/bad news bug. The good is that PGM does not authenticate requests so it is not recommended to expose it to the public internet, and we assume most of you don’t. The bad news is those who ignored that advice are exposed.

Moving along, the January patch list includes two more sub-9.0 critical flaws, these ones in everyone’s favorite spreadsheet, Excel.

Both CVE-2025-21362 and CVE-2025-21354 allow code execution if the user can be tricked into opening a malware-packed file, and neither requires special privileges to exploit.

“The worry for these vulnerabilities in Excel is that they are more likely to be exploited in the wild, meaning Microsoft likely suspects they can be weaponized by attackers,” said Ben McCarthy, lead cyber security engineer at Immersive Labs.

“With social engineering still being one the main ways for attackers to gain initial access, any vulnerabilities in Excel need to be taken seriously by any company that uses it and patch it immediately.”

Other fixes harden Remote Desktop services against flaws Microsoft considers critical. CVE-2025-21309 and CVE-2025-21297 both allow an attacker to exploit either vulnerability “by connecting to a system with the Remote Desktop Gateway role, triggering the race condition to create a use-after-free scenario, and then leveraging this to execute arbitrary code,” Microsoft said.

Then there’s CVE-2025-21380, an Azure Marketplace SaaS resources information disclosure vulnerability; CVE-2025-21385, a Purview info-leak; and CVE-2025-21178, a code execution hole in Visual Studio.

There’s another summary of the holes over at the Zero Day Initiative.

More trouble to handle

Adobe’s January patches fix flaws in Photoshop, Illustrator, Substance3D Stager, and Animate.

There are vulnerabilities in Photoshop 2024 and 2025 affecting both Windows and macOS that Adobe considers of critical concern as, like Microsoft, it has its own ratings that suggest you prioritize fixes for vulns that “allow malicious native-code to execute, potentially without a user being aware.”

The Photoshop flaws meet that definition as they make arbitrary code execution a possibility.

Illustrator received fixes for two code execution vulnerabilities, each with a CVSS score of 7.8. Substance 3D Stager addresses five similar flaws, while Animate gets one. All of these vulnerabilities require user interaction and cannot be remotely triggered.

Cisco slipped out a couple of fixes, both of which it rated as medium severity. There’s an issue with the Snort intrusion detection system, which means trouble for some other Cisco security software that relies on it.

There’s also a certification validation flaw in ThousandEyes Endpoint Agent for macOS and RoomOS (Cisco’s software for meeting room gear) that would allow a remote and unauthenticated user to falsely validate themselves as a trusted host. ThousandEyes Windows systems are safe for now.

Finally SAP released 14 patches for its systems this month with two critical, one high severity, and three medium flaws in NetWeaver Application Server for ABAP and newer ABAP Platform versions. There are also three medium severity flaws in SAP GUI for Windows, Java, and Netweaver that should be fixed.

While we have mentioned plenty of nasties above, this is not the scariest month of patches we’ve reported. But that’s no reason for complacency, as bad actors will doubtless already be trying to flip the calendar from Patch Tuesday to Exploit Wednesday. ®