2025’s first Patch Tuesday: 159 patches, including several zero-day fixes

Microsoft began 2025 with a hefty patch release this month, addressing eight zero-days with 159 patches for Windows, Microsoft Office and Visual Studio. Both Windows and Microsoft Office have “Patch Now” recommendations (with no browser or Exchange patches) for January.

Microsoft also released a significant servicing stack update (SSU) that changes how desktop and server platforms are updated, requiring additional testing on how MSI Installer, MSIX and AppX packages are installed, updated, and uninstalled. 

To navigate these changes, the Readiness team has provided this useful infographic detailing the risks of deploying the updates.

Known issues 

Readiness worked with both Citrix and Microsoft to detail the more serious update issues affecting enterprise desktops, including:

• Windows 10/11: Following the installation of the October 2024 security update, some customers report that theOpenSSH (Open Secure Shell) service fails to start, preventing SSH connections. The service fails without detailed logging; manual intervention is required to run the sshd.exe process. Microsoft is investigating the issue with no (as of now) published schedule for either mitigations or a resolution.

Citrix reported significant issues with its Session Recording Agent (SRA), causing the January update to fail to complete successfully. Microsoft published a security bulletin (KB5050009) that says: “Affected devices might initially download and apply the January 2025 Windows security update correctly, such as via the Windows Update page in Settings.” Once this situation occurs, however, the update process stops and proceeds to rollback to the original state.

In short, if you have the Citrix SRA installed, your device was (likely) not updated this month.

Major revisions

For this Patch Tuesday, we have the following revisions to previously released updates:

• CVE-2025-21311: Windows Installer Elevation of Privilege Vulnerability. Microsoft has released an updated group policy (SkuSiPolicy.p7b) to better handle security related issues with VBS scripts included in the knowledge note, “Guidance for blocking rollback of Virtualization-based Security (VBS)”.
• CVE-2025-21308: Windows Themes Spoofing Vulnerability. Microsoft recommends disabling NTLM for desktop systems to address this vulnerability. Guidance on the  process can be found here: Restrict NTLM: Outgoing NTLM traffic to remote servers.

Microsoft also released CVE-2025-21224 to address two memory related security vulnerabilities in the legacy line printer daemon (LPD), a Windows feature that has been deprecated for 15 years. I can’t see things improving for these print-related functions (given the problems we’ve seen for the past decade). Maybe now is the time to start removing these legacy features from your platform.

Windows lifecycle and enforcement updates

The following Microsoft products will be retired this year:

• Microsoft Genomics: Jan. 6, 2025
• Visual Studio App Center: March 31, 2025
• SAP HANA Large Instances (HLI): June 30, 2025

Of course, we don’t need to mention the elephant in the room. Microsoft will end support for Windows 10 in October.

Each month, we analyze Microsoft’s updates across key product families — Windows, Office, and developer tools — to help you prioritize patching efforts. This prescriptive, actionable, guidance is based on assessing a large application portfolio and a detailed analysis of the Microsoft patches and their potential impact on the Windows platforms and apps.

For this release cycle from Microsoft, we have grouped the critical updates and required testing efforts into different functional areas including:

Remote desktop

January has a heavy focus on Remote Desktop Gateway (RD Gateway) and network protocols, with the following testing guidance:

• RD Gateway Connections: Ensure RD Gateway (RDG) continues to facilitate both UDP and TCP traffic seamlessly without performance degradation. Try disconnecting RDG from an existing/established connection.
• VPN, Wi-Fi, and Bluetooth Scenarios: test end-to-end configurations and nearby sharing functionality.
• DNS Management for Operators: Verify that users in the “Network Configuration Operators” group can manage DNS client settings effortlessly.

Local Windows file system and storage

File system and storage components also get minor updates. Desktop and server file system testing efforts should focus on:

• Offline Files and Mapped Drives: Test mapped network drives under both online and offline conditions. Pay close attention to Sync Center status updates.
• BitLocker: Validate drive locking and unlocking, BitLocker-native boot scenarios, and post-hibernation states with BitLocker enabled.

Virtualization and Microsoft Hyper-V

Hyper-V and virtual machines receive lightweight updates:

• Traffic Testing: Install the Hyper-V feature and restart systems. Monitor network performance and ensure no regressions in virtual network traffic or virtual machine management.

Security and authentication

Key areas for security-related testing include:

• Digest Authentication Stress Testing: Simulate heavy loads while using Digest authentication to uncover potential issues.
• SPNEGO Negotiations: Verify Secure Negotiation Protocol (SPNEGO) functionalities in cross-domain or multi-forest Active Directory setups.
• Authentication Scenarios: Test applications relying on LSASS processes and ensure that protocols like Kerberos, NTLM, and certificate-based authentication remain stable under load.

Other critical updates

There are some additional testing priorities for this release:

• App Deployment Scenarios: Install and update MSIX/Appx packages with and without packaged services, confirming admin-only requirements for updates.
• WebSocket Connections: Establish and monitor secure WebSocket connections, ensuring proper encryption and handshake results.
• Graphics and Themes: Test GDI+-based apps and workflows involving theme files to ensure UI elements render correctly across different view modes. Some suggestions include foreign language applications that rely on Input Method Editors (IMEs).

January’s updates maintain a medium-risk profile for most systems, but testing remains essential — especially for networking, authentication, and file system scenarios. We recommend prioritizing remote network traffic validation, with light testing for storage and virtualization environments. If you have a large MSIX/Appx package portfolio, there’s a lot of work to do to ensure that your package installs, updates and uninstalls successfully.

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings: 

• Browsers (Microsoft IE and Edge) 
• Microsoft Windows (both desktop and server) 
• Microsoft Office
• Microsoft Exchange and SQL Server 
• Microsoft Developer Tools (Visual Studio and .NET)
• Adobe (if you get this far) 

Browsers

There were no Microsoft browser updates for Patch Tuesday this month. Expect Chromium updates that will affect Microsoft Edge in the coming week. (You can find the enterprise release schedule for Chromium here.)

Microsoft Windows

This is a pretty large update for the Windows ecosystem, with 124 patches for both desktops and servers, covering over 50 product/feature groups. We’ve highlighted some of the major areas of interest:

• Fax/Telephony
• MSI/AppX/Installer and the Windows update mechanisms
• Windows COM/DCOM/OLE
• Networking, Remote Desktop
• Kerberos, Digital Certificates, BitLocker, Windows Boot Manager
• Windows graphics (GDI) and Kernel drivers

Unfortunately, Windows security vulnerabilities CVE-2025-21275 and CVE-2025-21308 both affect core application functionality and have been publicly disclosed. Add these Windows updates to your “Patch Now” release schedule.

Microsoft Office

Microsoft Office gets three critical updates, and a further 17 patches rated important. Unusually, three Microsoft Office updates affecting Microsoft Access fall into the zero-day category with CVE-2025-21366, CVE-2025-21395 and CVE-2025-21186 publicly disclosed. Add these Microsoft updates to your “Patch Now” calendar.

Microsoft Exchange and SQL Server

There were no updates from Microsoft for SQL Server or Microsoft Exchange servers this month. 

Microsoft Developer Tools (Visual Studio and .NET)

Microsoft has released seven updates rated as important affecting Microsoft .NET and Visual Studio. Given the urgent attention required for Office and Windows this month, you can add these standard, low-profile patches to your standard developer release schedule. 

Adobe and third-party updates

No Adobe related patches were released by Microsoft this month. However, two third-party, development related updates were published; they affect GitHub (CVE-2024-50338) and CERT CC patch (CVE-2024-7344). Both updates can be added to the standard developer release schedule.