Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
WARNING: MICROSOFT PATCH TUESDAY JANUARY 5 PATCHES 157 VULNERABILITIES (10 CRITICAL, 147 IMPORTANT, 0 MODERATE), PATCH IMMEDIATELY!!
Image
Published : 15/01/2025
Reference:
Advisory #2025-010
Version:
1.1
Affected software:
Various Microsoft products
Type:
Several types, ranging from Spoofing to Remote Code Execution and Privilege Escalation.
CVE/CVSS:
Microsoft patched 157 vulnerabilities in its January 2025 Patch Tuesday release, 10 rated as critical, 147 rated important. Including 5 0-day vulnerabilities and 3 vulnerabilities that are actively exploited.Number of CVE by type:
- 58 Remote Code Execution vulnerabilities
- 40 Elevation of Privilege vulnerabilities
- 21 Information Disclosure vulnerabilities
- 5 Spoofing vulnerability
- 20 Denial of Service vulnerabilities
- 13 Security Feature Bypass vulnerabilities
Sources
Microsoft - https://msrc.microsoft.com/update-guide/releaseNote/2025-Jan
Risks
Microsoft’s January 2025 Patch Tuesday includes 157 vulnerabilities (10 critical, 147 important, 0 moderate and 0 low), for a wide range of Microsoft products, impacting Microsoft Server and Workstations; as well as 2 non-Microsoft vulnerabilities. This Patch Tuesday includes 3 actively exploited vulnerabilities and 5 0-Days. Some other vulnerabilities are also more likely to be exploited soon, therefore urgent patching is advised.
Update: 17-01-2025
In Microsoft's Patch Tuesday update form the 14th of January 2025, Microsoft ixed CVE-2024-7344, a critical vulnerability in Windows that allowed attackers to bypass the UEFI Secure Boot on the majority of UEFI-based systems.
The issue has been fixed in all the impacted products and the old, vulnerable binaries were revoked by Microsoft. All UEFI systems with Microsoft third-party UEFI signing enabled are affected (Windows 11 Secured-core PCs should have this option disabled by default). The vulnerability affected devices to which attackers had already gained privileged access and allowed them to execute untrusted code during system boot, enabling potential attackers to easily deploy malicious UEFI bootkits.
Description
Microsoft has released multiple patches for vulnerabilities covering a range of their products. These monthly releases are called “Patch Tuesday” and contain security fixes for Microsoft devices and software.
The CCB would like to point your attention to following vulnerabilities:
CVE-2025-21333, CVE-2025-21334, CVE-2025-21335: Windows Hyper-V NT Kernel Integration VSP (0-days, Actively exploited, Important)
Elevation of Privilege vulnerabilities. All three CVEs are assigned a CVSS score of 7.8. An authenticated, local attacker could exploit these vulnerabilities to elevate privileges to SYSTEM. Successful exploitation could lead to significant security breaches.
According to Microsoft all three vulnerabilities were exploited in the wild as zero-days. There is currently no specific details about the in-the-wild exploitation (cut-off date: 15 January 2025).
CVE-2025-21186, CVE-2025-21366, CVE-2025-21395: Microsoft Access (0-days, Important)
Remote code execution vulnerabilities. All three vulnerabilities were assigned a CVSSv3 score of 7.8. A remote, unauthenticated attacker could exploit these vulnerabilities by convincing a target through social engineering to download and open a malicious file. Successful exploitation would grant an attacker arbitrary code execution privileges on the vulnerable system.
Microsoft released an update which blocks potentially malicious extensions from being sent in an email thereby mitigating the risk of exploitation. Access is blocked for the following extensions:
- accdb
- accde
- accdw
- accdt
- accda
- accdr
- accdu
According to Microsoft, these three vulnerabilities were publicly disclosed prior to a patch being available (zero-days). At this time, Microsoft does not report active exploitation (cut-off date: 15 January 2025).
CVE-2025-21297, CVE-2025-21309: Windows Remote Desktop Services (Critical)
Remote code execution vulnerabilities. Both of these vulnerabilities were assigned CVSSv3 scores of 8.1. According to Microsoft, successful exploitation of these flaws requires an attacker to connect to a system with the Remote Desktop Gateway role and trigger a race-condition that creates a use-after-free scenario which can be leveraged to execute arbitrary code.
Although both CVEs have the same CVSS score, CVE-2025-21309 was assessed as “Exploitation More Likely” according to Microsoft’s Exploitability Index, while CVE-2025-21297 was assessed as “Exploitation Less Likely.”
At this time, Microsoft does not report active exploitation (cut-off date: 15 January 2025).
CVE-2025-21298: Windows OLE (Critical)
Remote code execution vulnerability. This vulnerability was assigned a CVSSv3 score of 9.8. An attacker could exploit this vulnerability by sending a specially crafted email to a target. Successful exploitation would lead to remote code execution on the target system if the target opens this email using a vulnerable version of Microsoft Outlook or if their software is able to preview the email through a preview pane.
Microsoft’s advisory for this vulnerability recommends configuring Microsoft Outlook to read email messages “in plain text format” instead of a rich format that will display other types of content, such as photos, animations or specialized fonts.
It has been assessed as “Exploitation More Likely.” At this time, Microsoft does not report active exploitation (cut-off date: 15 January 2025).
2025-02-14 UPDATE: A PoC for CVE-2025-21298 has been publicly released. This significantly increases the chances of active exploitation of this vulnerability!
CVE-2025-21311: Windows NTLMv1 (Critical)
Elevation of privilege vulnerability. This vulnerability received a CVSSv3 score of 9.8. It affects Windows NTLMv1, an older Microsoft authentication protocol currently still used by many organizations. Successful exploitation enables a remote attacker to elevate privileges.
Microsoft published mitigations to prevent the use of NTLMv1 while still allowing NTLMv2. Both are deprecated protocols[1].
Despite Microsoft assessing that exploitation of this vulnerability does not require significant prior knowledge of the system, exploitation is deemed “less likely. At this time, Microsoft does not report active exploitation (cut-off date: 15 January 2025).
CVE-2025-21308: Windows Themes (Important)
Spoofing vulnerability. This vulnerability received a CVSSv3 score of 6.5 and was publicly disclosed prior to a patch being made available. Successful exploitation leads to improper disclosure of an NTLM hash, which allows an attacker to impersonate the user from whom it was acquired. According to Microsoft, successful exploitation requires an attacker to convince a user to load a malicious file, then convince the user to manipulate the specially crafted file.
Systems that have disabled NTLM are not affected. Microsoft has provided a list of mitigations including disabling New Technology LAN Manager (NTLM) or using group policy to block NTLM hashes.
At this time, Microsoft does not report active exploitation (cut-off date: 15 January 2025).
CVE-2025-21275: Windows App Package Installer (Important)
Elevation of privilege vulnerability. This vulnerability was assigned a CVSSv3 score of 7.8. A local, authenticated attacker could exploit this vulnerability to obtain SYSTEM privileges. These types of flaws are often associated with post-compromise activity, after an attacker has breached a system through other means.
According to Microsoft, this vulnerability was publicly disclosed prior to a patch being available. At this time, Microsoft does not report active exploitation (cut-off date: 15 January 2025).
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
SANS Internet Storm Center - https://isc.sans.edu/diary/Microsoft%20January%202025%20Patch%20Tuesday/31590
Bleeping Computer - https://www.bleepingcomputer.com/news/microsoft/microsoft-january-2025-patch-tuesday-fixes-8-zero-days-159-flaws/