4 Actively Exploited Vulnerabilities Among 63 Flaws Patched in Microsoft Products This Month

“Patch Tuesday” is an unofficial term referring to the second Tuesday of each month, when vendors including Microsoft, Adobe, SAP and Google coordinate the release of vulnerabilities in (and patches for) their software products on a fixed cycle. Critical security updates are occasionally released outside of the normal Patch Tuesday cycle, but these are known as “out-of-band” releases.

In this blog post we’ll summarise the key Microsoft Security Updates for the month, but you can access the raw list in full directly at https://msrc.microsoft.com/update-guide/releaseNote/2025-Jan

Commentary

There were several notable exploitations of Microsoft products over the course of the last month, including a warning from CISA reporting on the active exploitation of a code injection flaw in Microsoft Office’s Outlook. CISA also warned of the active exploitation of three further vulnerabilities in MS products over the last month, including an information disclosure vulnerability in Microsoft’s .NET Framework (CVE-2024-29059), a buffer overflow in Windows’ Ancillary Function Driver (CVE-2025-21418), and a Symlink Attack Vulnerability in the Windows Storage Subsystem (CVE-2025-21391).

The Microsoft Patch Tuesday update for February 2025 also includes important updates for vulnerabilities in further products from the Washington-based software giant including MS Office, Edge, HPC, Visual Studio, Azure, Outlook and the Surface hardware series of devices.

Known Exploited Vulnerabilities

The list of “Known Exploited” vulnerabilities below represent the greatest risk and absolute highest priority for patching for many organisations. They have been reported by the CISA, America’s Cyber Defense Agency, to be known to be currently being exploited in the wild and at scale, meaning that not only is exploit code known to attackers, but that the weakness is being actively targeted. These vulnerabilities are the most time-critical to patch before being exploited by threat actors.

The AppCheck Scanner is able to detect these vulnerabilities and report on their presence in your technical estate, enabling you to effectively and swiftly target them for remediation – please click each CVE below to read more about each entry on our public-facing Detections database.

Critical (CVSS 9+) Patches to Prioritise

The list of “Critical” vulnerabilities below are all those with a “CVSS” (Common Vulnerability Scoring System) score of 9.0 or greater. This generally reflects a vulnerability that is a critical risk – being both trivial to exploit as well as having the potential to have significant impact (harm) if successfully exploited – but for which no hard evidence has been gathered yet as to ongoing exploitation. Critical vulnerabilities are crucial to patch, but may be slightly less time-sensitive than ‘known exploited’ vulnerabilities. Critical vulnerabilities highlighted by Microsoft this month include:

‘Highly Exploitable’ Vulnerabilities

The list of “Highly Exploitable” vulnerabilities below are all those which Microsoft has determined are relatively trivial to exploit. Unlike the ‘known exploited vulnerabilities’ list above, there is no evidence yet released of these vulnerabilities having been exploited ‘in the wild’, but that could well change if exploit code is published, or a threat actor chooses to specifically target one of these vulnerabilities. The vulnerabilities flagged as ‘highly exploitable’ by Microsoft this month include:

Other Critical Patches

In addition to the above, Microsoft released 63 important security patches in total.

Products affected by this Patch Tuesday’s updates include:

• 37 vulnerabilities in Windows Telephony Service
• 9 vulnerabilities in Office
• 7 vulnerabilities in Edge
• 3 vulnerabilities in Visual Studio

Statistics

Total Microsoft CVEs: 63

Known Actively Exploited (KEVs): 4

Additional Critical Vulnerabilities: 1

‘Highly Exploitable’ Vulnerabilities: 9

Other Vendors

Other vendors releasing critical security updates this Patch Tuesday include:

• ADOBE has released patches addressing 45 CVEs in products including Acrobat, Reader, Commerce, Substance 3D Painter, FrameMaker and Illustrator.
• FORTINET has released patches addressing 11 CVEs in products including FortiOS, FortiManager, FortiAnalyzer and FortiProxy.
• IVANTI has released security advisories addressing 11 CVEs in products including Ivanti Cloud Service Application, Ivanti Neurons for MDM, Ivanti Connect Secure, Ivanti Policy Secure and Ivanti Secure Access Client.
• CISCO has released patches addressing 9 CVEs across multiple product lines.

How to Protect Your Organisation with AppCheck

As with every month, if you don’t want to wait for your system to download Microsoft critical updates on pre-determined schedule, you can download them immediately from the Windows Update Catalog website at https://www.catalog.update.microsoft.com/Home.aspx and searching by Microsoft KB ID.

We also recommend scanning your entire estate using the AppCheck vulnerability scanner regularly – including end-user machines running desktop operating systems. Contact your account manager now if you are not already licensed for internal scan hubs to cover your whole estate.

Next Patch Tuesday

The next MICROSOFT Patch Tuesday update will be on 11th March 2025 – add it to your calendar now!

AppCheck now offers additional coverage of critical security updates from several key vendors too, including:

• Our weekly roundup of ‘Known exploited vulnerabilities’ from across all vendors, published weekly each Friday.
• Our End-of-Month Roundups of critical patch updates for all CISCO Products – next due on 27th February 2025.
• Quarterly Roundups of Security Updates from IVANTI – next due on 3rd March 2025.
• Our Monthly Security Advisory Roundups for PALO ALTO NETWORKS – next due on 13th March 2025.
• Our quarterly coverage of the ‘Critical Patch Updates’ from ORACLE – next due on 15th April 2025.

About AppCheck

AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).