Microsoft began 2025 with its largest-ever monthly patch release, addressing 161 security vulnerabilities including three actively exploited zero-day flaws. Of these, 11 are classified as Critical while 149 are rated Important.

Additionally, a Windows Secure Boot bypass (CVE-2024-7344) was patched without a severity rating. Notably, this update surpassed all prior monthly records since 2017, according to the Zero Day Initiative. Alongside these patches, seven vulnerabilities in the Edge browser were addressed following December 2024's updates.

Prominent among the fixes are three actively exploited flaws in Windows Hyper-V NT Kernel Integration VSP (CVE-2025-21333, CVE-2025-21334, CVE-2025-21335), each with a CVSS score of 7.8. These vulnerabilities allow attackers to escalate privileges to SYSTEM level. Although Microsoft has not disclosed how these flaws are exploited, they are likely used post-compromise. Given that Hyper-V’s Virtualization Service Provider (VSP) is a critical security boundary, the discovery of these flaws highlights potential risks in virtualization environments. The U.S. CISA has added these flaws to its Known Exploited Vulnerabilities (KEV) catalog mandating federal agencies to patch them by February 4, 2025.

Microsoft also addressed five publicly known vulnerabilities, including CVE-2025-21186, CVE-2025-21366, and CVE-2025-21395, which involve remote code execution in Microsoft Access. Other notable flaws include CVE-2025-21275 (privilege escalation) and CVE-2025-21308 (NTLM hash disclosure). The latter, identified as a bypass for CVE-2024-38030, underscores the importance of patching systems to prevent disclosure of sensitive data. Three Microsoft Access vulnerabilities were attributed to Unpatched.ai, which discovered them through AI-guided vulnerability detection.

Among the most critical vulnerabilities patched were CVE-2025-21294 and CVE-2025-21295 (both CVSS 8.1), along with CVE-2025-21298, CVE-2025-21307, and CVE-2025-21311 (all CVSS 9.8). These allow remote code execution and privilege escalation through varied attack vectors, including specially crafted emails. Exploiting CVE-2025-21298 via Microsoft Outlook can allow an attacker to execute malicious code by tricking the victim into opening or previewing a malicious email. This highlights the importance of best practices such as reading emails in plain text and avoiding unknown attachments.

Additionally, an information disclosure flaw, CVE-2025-21210, affecting Windows BitLocker, could expose sensitive hibernation data. If an attacker gains physical access to a machine, they could retrieve plaintext hibernation images, potentially recovering sensitive data like passwords and personal information. The vulnerability underscores the importance of securing physical access to systems and applying timely patches to mitigate risks to enterprise environments. Besides Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities.