
The US Cybersecurity and Infrastructure Security Agency (CISA) is urging Windows users to update their systems to address actively exploited vulnerabilities. Microsoft’s Patch Tuesday release plugs a total of 161 security holes.
Microsoft addressed 161 vulnerabilities in January, its monthly patch day. Some flaws are very serious and might completely compromise systems and user data.
Outlook users in danger
A critical remote code execution was found in the Windows Object Linking and Embedding (OLE) technology that allows embedding and linking to documents and other objects. Its severity is rated at 9.8 out of 10.
To exploit it, attackers could send specially crafted emails to victims, and the malicious payload would run when the Microsoft Outlook application displays a preview, without actually opening an email. The risk lies in opening RTF Files from unknown or untrusted sources.
“This could result in the attacker executing remote code on the victim's machine,” Microsoft said.
As a workaround, Microsoft recommends that “users read email messages in plain text format.” This way email messages will not contain pictures, specialized fonts, animations, or other rich content.
To read email messages in plain text, Outlook users can click the ‘File’ tab, choose ‘Options,’ go to Trust Center, and click ‘Trust Center Settings.’ There, choose ‘Email Security,’ and under ‘Read as Plain Text,’ select the ‘Read all standard mail in plain text’ check box.
At the time of patching, Microsoft hadn’t detected any publicly disclosed exploitation of this flaw, and the proven exploit code wasn’t available. However, the tech giant warns that exploitation of the flaw labeled CVE-2025-21298 is more likely in the future.
“The attack path through the preview when receiving an email in Microsoft Outlook is worrying. Due to the widespread use of Microsoft products in general and the comparatively simple attack scenario, it must be assumed that attack attempts will take place in the short term,” German federal cyber security agency BSI warns.
“IT security managers should install the patches for the vulnerability CVE-2025-21298 with high priority.”
Remote servicing affected
Another severe remote code execution vulnerability with a score of 8.1 affects the Windows Remote Desktop Service. Microsoft assesses that its exploitation is also likely to be exploited in the future.
“An attacker could successfully exploit this vulnerability by connecting to a system with the Remote Desktop Gateway role, triggering the race condition to create a use-after-free scenario, and then leveraging this to execute arbitrary code,” Microsoft explains.
Successful exploitation of this vulnerability (CVE-2025-21309) requires attackers to win a ‘race condition,’ which means that they need to quickly take advantage of timing issues.
Zero-days addressed
Three zero-days, with a severity rating of 7.8, are found to be exploited in the wild and are particularly concerning to cybersecurity authorities. They enable attackers to obtain the highest (SYSTEM) privileges and maintain persistence.
All three privilege escalation flaws affect Microsoft Windows Hyper-V NT Kernel Integration VSP, a component of the Microsoft virtualization platform.
Microsoft did not provide any specific details about the in-the-wild exploitation of the flaws.
“As elevation of privilege bugs, they’re being used as part of post-compromise activity, where an attacker has already accessed a target system,” Tenable’s Satnam Narang told krebsonsecurity.com.
The CISA included the CVE-2025-21333, CVE-2025-21334, and CVE-2025-21335 in its Known Exploited Vulnerabilities List and set January 21st, 2025, as a due date for federal agencies to address them.
Some of the other patched vulnerabilities in the list affect Office products such as Excel, Visio, Sharepoint, and others. They enable attackers to bypass Office macro policies by crafting malicious files and running remote code.
Tenable warns that some remote code vulnerabilities affect Microsoft Access, a database management system. Rated 7.8, the flaws can be exploited by remote unauthenticated attackers who convince targets through social engineering to download and open malicious files.
“Successful exploitation would grant an attacker arbitrary code execution privileges on the vulnerable system,” Tenable said.
The full list of Microsoft’s January 2025 Patch Tuesday update can be found here.
Your email address will not be published. Required fields are markedmarked