Post-Patch Tuesday Roundup: January 2025

Greg Smith

Cyber Security Engineer

Some of these findings have critical CVSS scores, as high as 9.8, but have no evidence of being utilised in the wild. Whilst some with lower ratings (7.8) have been seen to be exploited.

Microsoft

In their January Patch Tuesday release, Microsoft has addressed 159 vulnerabilities. This is nearly double the amount from December 2024 and the highest since 2017 in a single month. 12 of these are rated as Critical and 8 being zero-day vulnerabilities. The patches cover a broad array of applications and services, including Windows, Visual Studio, Exchange, .Net, Office, Installer, AD, Recovery environment, SharePoint, Azure, and more.

This month's vulnerabilities chiefly revolve around Remote Code Execution (RCE), Elevation of Privilege (EoP), and spoofing. Outlined below are some of the more critical/important vulnerabilities detailed in this month’s Patch Tuesday:

Critical

CVE-2025-21307 – This is a Remote Code Execution vulnerability in Windows Reliable Multicast Transport Driver (RMCAST) that can allow an attacker to execute arbitrary code on the affected system. It is rated as Critical, with a high CVSS score of 9.8. [Since this has not been exploited in the wild, users should still prioritise applying the official fix to mitigate the risk of future exploitation.] The vulnerability is triggered by a use-after-free condition, which could be exploited remotely over the network without user interaction, requiring no privileges.

CVE-2025-21311 – This is an Elevation of Privilege vulnerability in Windows NTLM V1 that can allow an attacker to gain higher privileges on the affected system. It is rated as Critical, with a high CVSS score of 9.8. [Since this has not been exploited in the wild, users should still prioritise applying the official fix to mitigate the risk of future exploitation.] The vulnerability is caused by an incorrect implementation of the authentication algorithm, and can be exploited remotely over the network without requiring user interaction or privileges.

CVE-2025-21298 – This is a Remote Code Execution vulnerability in Windows OLE that can allow an attacker to execute arbitrary code on the affected system. It is rated as Critical, with a high CVSS score of 9.8. [Since exploitation is more likely, users should apply the official fix as soon as possible to reduce the risk of potential exploitation.] The vulnerability arises from a "Use After Free" error and can be triggered remotely over the network without requiring user interaction or privileges.

High

CVE-2025-21333 – This is an Elevation of Privilege vulnerability in Windows Hyper-V NT Kernel Integration that can allow an attacker to gain elevated privileges on a vulnerable system. This was detected by Microsoft. It is rated as Important, with a CVSS score of 7.8. Since this is known to have been exploited in the wild, users should look to patch this vulnerability as soon as possible to prevent potential exploitation. The attacker must have low privileges and local access to the system, and no user interaction is required to exploit this vulnerability.

Adobe

Adobe has released 5 patches this month, addressing 14 vulnerabilities.

The applications in question are:

Photoshop

Substance 3D Stager

Substance 3D Designer

Illustrator (iPad)

Animate

All of these vulnerabilities are rated as a priority 3 by Adobe, meaning they relate to a product that has historically not been a target for attackers.

Cisco

Cisco has so far released 5 advisory notices for 5 vulnerabilities found in January, with the impact ratings ranging from Medium to High. The High vulnerability relates to Cisco NX-OS bootloader. This vulnerability allows an unauthenticated attacker with physical access, or an authenticated attacker with administrative credentials, to bypass the image signature verification during the boot process.

Fortinet

Fortinet has addressed 29 vulnerabilities in January which is more than traditionally seen. 2 critical, 12 High, 12 Medium, and 3 Low severity.

Critical

The critical vulnerabilities affect FortiSwitch. This could allow a remote, unauthenticated attacker possessing the key to execute unauthorised code by sending crafted cryptographic requests. The vulnerability affects multiple versions of FortiSwitch software, with specific versions in each release branch being vulnerable. The recommendation is to upgrade the FortiSwitch version.

The second critical vulnerability is present within FortiOS and FortiProxy versions 7.0.0–7.0.16 (FortiOS) and 7.2.0–7.2.12 (FortiProxy) allows remote attackers to gain super-admin privileges via crafted requests to the Node.js websocket module. This vulnerability is actively exploited in the wild. Affected users should upgrade to FortiOS 7.0.17 or higher, and FortiProxy 7.2.13 or higher, to mitigate the risk.

Ivanti

Ivanti have addressed three products in their January security update: Avalanche, Application Control Engine, and Ivanti EPM. Additionally, and perhaps more importantly, the security update released on the 8^th of January details two actively exploited vulnerabilities affecting Ivanti Connect Secure, Policy Secure & ZTA Gateways.

SAP

SAP has released 15 new security notes and 5 updates to previous security notes. 2 of these CVEs are rated “Critical”, 3 are “High” 8 are “medium” and 1 is “low”. The products affected by the Critical CVEs are:

SAP NetWeaver AS for ABAP and ABAP Platform

SAP NetWeaver & ABAP Platform

The “high” rated CVEs affect:

SAP NetWeaver & ABAP Platform

SAP BusinessObjects Business Intelligence Platform

SAPSetup

SonicWall

SonicWall has warned customers of a high-severity authentication bypass vulnerability (CVE-2024-53704) in SSL VPN and SSH management, affecting Gen 6/6.5 and Gen 7 firewalls. The flaw, with a CVSS score of 8.2, is exploitable and requires an immediate firmware upgrade to the latest versions. The update also addresses other vulnerabilities, including weak SSL VPN tokens (CVE-2024-40762), SSRF (CVE-2024-53705), and privilege escalation in Cloud NSv (CVE-2024-53706). Users are advised to restrict access from untrusted sources and disable internet-facing SSH management.

Veeam

Veeam has issued a single notification regarding Veeam backup, specifically for Microsoft Azure.

A high-severity SSRF vulnerability (CVE-2025-23082), rated 7.2, in Veeam Backup for Microsoft Azure allow attackers to send unauthorised requests, potentially enabling network enumeration or other attacks. The issue affects deployments managing Azure workloads and is fixed in newer versions.

VMware

Vmware has released a single patch for a vulnerability found within Aria Automation. VMware Aria Automation has a server-side request forgery (SSRF) vulnerability (CVE-2025-22215), rated as moderate (CVSS 4.3). The flaw allows a malicious actor with "Organisation Member" access to enumerate internal services on the host or network. Patches are available to fix this issue in affected VMware products. There are no workarounds for this vulnerability.