Microsoft started 2025 by patching 161 security vulnerabilities across its various software offerings, including three actively exploited in attacks. Of the 161 bugs, 11 are rated critical, and 149 are severe. This is also the largest number of CVEs Redmond has addressed in a month since 2017.
The three actively exploited flaws are present in the Windows Hyper-V NT Kernel Integration VSP. They’ve been assigned CVE IDs CVE-2025-21333, CVE-2025-21334, and CVE-2025-21335. Microsoft’s advisory says any attacker successfully exploiting these bugs can gain system privileges.
Additionally, the software giant hasn’t disclosed the identity of any threat actors exploiting them, the scale of the attacks, or even how these vulnerabilities are being exploited. However, given that they’re privilege escalation bugs they’re likely exploited after an intruder has gained access to the targeted systems.

The exploitation has led the US Cybersecurity and Infrastructure Security Agency (CISA) to add them to its Known Exploited Vulnerabilities directory and instructed federal agencies to patch their systems by February 4, 2025.
Five additional bugs that were patched in the update are also publicly known. These include three remote code execution vulnerabilities in Microsoft Access dubbed CVE-2025-21186, CVE-2025-21366, and CVE-2025-21395, with CVSS scores of 7.8 each. One Windows App Package Installer elevation of privilege vulnerability dubbed CVE-2025-21275 rated 7.8 on the CVSS scale, and a Windows Themes spoofing vulnerability dubbed CVE-2025-21308 with a CVSS score of 6.5.
Redmond also patched seven vulnerabilities in its Chromium-based Edge browser since its last patch Tuesday in December 2024. Additionally, several major software vendors, including but not limited to Adobe, Amazon, ASUS, Arm, Cisco, D-Link, Dell, Fortinet, GitHub, GitLab, Google, HP, Lenovo, MediaTek, Ubuntu, Nvidia, Qualcomm among others have also released patches to remedy vulnerabilities in their programs.
In the News: Ransomware allegedly hits Indus Tower, hackers demand $500,000