Virtual Administrator’s January Patch Recommendations
This month Microsoft released patches for 159 vulnerabilities with 11 rated “Critical” in severity.
All new patches will be approved in our patch policy.
This is the largest monthly release since 2017. Microsoft has released fixes for 159 vulnerabilities with three zero-days.
- The zero-days are an Elevation of Privilege vulnerability in Windows Hyper-V NT Kernel Integration VSP (CVE-2025-21333, CVE-2025-21334 and CVE-2025-21335).
- Three CVEs CVE-2025-21311, CVE-2025-21298, and CVE-2025-21307 have a CVSS score of 9.8. All three are included the monthly CU.
- CVE-2025-21311 is a bug in Windows NTLMv1 (NT LAN Manager version 1), an older Microsoft authentication protocol.
- CVE-2025-21298 is a Windows OLE Remote Code Execution vulnerability.
- CVE-2025-21307 is a remote code execution vulnerability affecting the Windows Reliable Multicast Transport Driver (RMCAST).
A few new SSUs for Windows Server 2008/2012/2016 and Windows 10 versions 1507/1607.
Disclosed: CVE-2025-21186, CVE-2025-21275, CVE-2025-21308, CVE-2025-21366, CVE-2025-21395
Exploited: CVE-2025-21333, CVE-2025-21334, CVE-2025-21335
Security Update Guide
https://msrc.microsoft.com/update-guide/en-us
Microsoft Security Advisories
ADV990001 | Latest Servicing Stack Updates (Published:11/13/2018 | Last Updated:1/14/2025)
https://msrc.microsoft.com/update-guide/en-us/vulnerability/ADV990001
Reason for Revision: A Servicing Stack Update has been released for some versions of Windows.
NOTE: The Windows 10 Security Stack Updates are included in the monthly Cumulative Updates.
Heads Up!
Full Enforcement mode for Certificate-based authentication changes on Windows DCs starting February 2025
KB5014754: Certificate-based authentication changes on Windows domain controllers
https://support.microsoft.com/topic/ad2c23b0-15d8-4340-a468-4d4f3b188f16
Staring in February 2025 authentication for certificates that do not meet the expected mapping requirements will be denied – Full Enforcement mode. You can move back to Compatibility mode until September 2025.
Known Issues
Microsoft updates fail to install on machines with Citrix Session Recording Agent (SRA) version 2411 installed.
Microsoft continues to list unresolved older problems under the Known Issues for new patches. So if you have not yet experienced one of these issues it is unlikely it will occur now.
Good resource for known issues with Windows 10/11 patches. Find the version and click on “Known issues”.
https://docs.microsoft.com/en-us/windows/release-health/
Windows release health
“Devices that have certain Citrix components installed might be unable to complete installation of the January 2025 Windows security update. This issue was observed on devices with Citrix Session Recording Agent (SRA) version 2411. The 2411 version of this application was released in December 2024.”
Affected platforms: Windows
Symptom: Affected devices might initially download and apply the January 2025 Windows security update correctly, such as via the Windows Update page in Settings. However, when restarting the device to complete the update installation, an error message with text similar to “Something didn’t go as planned. No need to worry – undoing changes” appears. The device will then revert to the Windows updates previously present on the device.
Workaround: Citrix has documented this issue, including a workaround, which can be performed prior to installing the January 2025 Windows security update. For details, see Citrix’s documentation.
Status: Microsoft is working with Citrix to address this issue and will update this documentation once a resolution is available.
Citrix’s documentation
Microsoft’s January security update fails/reverts on a machine with 2411 Session Recording Agent
Symptoms or Error: Microsoft’s January security update installation fails/reverts on a machine having 2411 Session Recording Agent
Solution: Citrix is investigating this issue. As a workaround, stop the Session Recording Monitoring service, install the Microsoft security update, and enable the Session Recording Monitoring service.
Monthly Rollup/Security Only/Windows 10,11/Server 2016,2019,2022,2025 KBs
Links are https://support.microsoft.com/en-us/help/####### with the KB number only.
Security and Quality Rollup
- KB5050048 – Windows Server 2012 R2 (ESU)
- KB5050004 – Windows Server 2012 (ESU)
Cumulative Updates
Windows 10
- KB5050013 – Original release version 1507 (OS Build 10240)
- KB5049993 – Version 1607 “Anniversary Update” (OS Build 14393)
- KB5050008 – Version 1809 “October 2018 Update” (OS Build 17763)
- KB5049981 – Version 21H2 “November 2021 Update” (OS Build 19044)
- KB5049981 – Version 22H2 “November 2022 Update” (OS Build 19045)
(Versions 1511,1703,1709,1803,1903,1909,2004,20H2,21H1 are no longer under support)
Windows 11
- KB5050021 – 22H2 (OS Build 22621)
- KB5050021 – 23H2 (OS Build 22631)
- KB5050009 – 24H2 (OS Build 26100)
(Version 21H2 is no longer under support)
Windows Server
- KB5049993 – Server 2016 (same KB as Windows 10 Version 1607)
- KB5050008 – Server 2019 (same KB as Windows 10 Version 1809)
- KB5049983 – Server 2022 (OS Build 20348)
- KB5049984 – Server 23H2 (OS Build 25398)
- KB5050009 – Server 2025 (OS Build 26100)
January 2025 updates for Microsoft Office
Notable CVEs
CVE-2025-21210 | Windows BitLocker Information Disclosure Vulnerability (Cumulative Update/Monthly Rollup)
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-21210
Exploiting this vulnerability could allow the disclosure of unencrypted hibernation images in cleartext. Successful exploitation of this vulnerability requires an attacker to gather information specific to the environment of the targeted component. To exploit this vulnerability, an attacker needs repeated physical access to the victim machine’s hard disk.
CVE-2025-21298 | Windows OLE Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21298
In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted email to the victim. Exploitation of the vulnerability might involve either a victim opening a specially crafted email with an affected version of Microsoft Outlook software, or a victim’s Outlook application displaying a preview of a specially crafted email . This could result in the attacker executing remote code on the victim’s machine.
CVE-2025-21307 | Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21307
An unauthenticated attacker could exploit the vulnerability by sending specially crafted packets to a Windows Pragmatic General Multicast (PGM) open socket on the server, without any interaction from the user.
CVE-2025-21311 | Windows NTLM V1 Elevation of Privilege Vulnerability (Cumulative Update)
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21311
The attack vector is Network (AV:N) because this vulnerability is remotely exploitable and can be exploited from the internet. The attack complexity is Low (AC:L) because an attacker does not require significant prior knowledge of the system and can achieve repeatable success with the payload against the vulnerable component.
CVE-2025-21333/CVE-2025-21334/CVE-2025-21335 | Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability (Cumulative Update)
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21333
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21334
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21335
An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
