What Are We Patching This Tuesday?

In this Patch Tuesday edition, Microsoft addressed 159 CVEs, including 8 Zero-Day, 10 Criticals, 147 Important — with 3 Zero-Days actively exploited in the wild and 5 others publicly disclosed.

From an Impact perspective, Escalation of Privilege (EoP) vulnerabilities accounted for 39%, followed by Remote Code Execution (RCE) at 36% and Denial of Service (DoS) at 12%.

Patches for this month cover components for the following areas:

• .NET
• Active Directory Domain Services
• Active Directory Federation Services
• Azure Marketplace SaaS Resources
• BranchCache
• Internet Explorer
• IP Helper
• Line Printer Daemon Service (LPD)
• Microsoft AutoUpdate (MAU)
• Microsoft Azure Gateway Manager
• Microsoft Brokering File System
• Microsoft Digest Authentication
• Microsoft Graphics Component
• Microsoft Office
• Microsoft Office Access
• Microsoft Office Excel
• Microsoft Office OneNote
• Microsoft Office Outlook
• Microsoft Office Outlook for Mac
• Microsoft Office SharePoint
• Microsoft Office Visio
• Microsoft Office Word
• Microsoft Purview
• Microsoft Windows Search Component
• Power Automate
• Reliable Multicast Transport Driver (RMCAST)
• Visual Studio
• Windows BitLocker
• Windows Boot Loader
• Windows Boot Manager
• Windows Client-Side Caching (CSC) Service
• Windows Cloud Files Mini Filter Driver
• Windows COM
• Windows Connected Devices Platform Service
• Windows Cryptographic Services
• Windows Digital Media
• Windows Direct Show
• Windows DWM Core Library
• Windows Event Tracing
• Windows Geolocation Service
• Windows Hello
• Windows Hyper-V NT Kernel Integration VSP
• Windows Installer
• Windows Kerberos
• Windows Kernel Memory
• Windows MapUrlToZone
• Windows Mark of the Web (MOTW)
• Windows Message Queuing
• Windows NTLM
• Windows OLE
• Windows PrintWorkflowUserSvc
• Windows Recovery Environment Agent
• Windows Remote Desktop Services
• Windows Security Account Manager
• Windows Smart Card
• Windows SmartScreen
• Windows SPNEGO Extended Negotiation
• Windows Telephony Service
• Windows Themes
• Windows UPnP Device Host
• Windows Virtual Trusted Platform Module
• Windows Virtualization-Based Security (VBS) Enclave
• Windows Web Threat Defense User Service
• Windows Win32K – GRFX
• Windows WLAN Auto Config Service

Here’s a closer look at the most interesting Microsoft CVEs:

CVE-2025-21333, CVE-2025-21334 and CVE-2025-21335 are Escalation of Privilege vulnerabilities in VSP – Windows Hyper-V NT Kernel Integration Virtualization Service Provider.  VSP resides in the root partition of a Hyper-V instance, and provides synthetic device support to child partitions over the Virtual Machine Bus (VMBus): it’s the foundation of how Hyper-V allows the child partition to trick itself into thinking that it’s a real compute engine.

All three vulnerabilities are assigned CVSS 7.8 and rated Important. A successful exploit of this vulnerability could allow an attacker to elevate privileges to SYSTEM. For those who are running Hyper-V, these vulnerabilities should be on top of their list to patch as soon as possible.

CVE-2025-21297 and CVE-2025-21309 are Remote Code Execution vulnerabilities affecting Windows Remote Desktop Services. Both have a CVSS of 8.1 and are rated Critical. Given the wide usage of RDP services, this should also be a high priority for all security professionals.

A successful exploit allows an unauthenticated attacker to execute arbitrary code on the Remote Desktop Gateway servers remotely. The attacker must connect to the server and trigger a race condition that creates a use-after-free scenario.

Microsoft considers the exploitation of CVE-2025-21309 “More Likely,” while it considers the exploitation of CVE-2025-21297 ” less likely.”

CVE-2025-21298 is a Remote Code Execution vulnerability in Microsoft’s Windows Object Linking and Embedding (OLE) – which is a technology that allows users to insert & interact with objects created in one application within another application, essentially enabling the integration of data from different programs into a single document, like embedding an Excel spreadsheet into a Word document.

This vulnerability has a CVSS of 9.8 and is rated as Critical. A successful exploit allows a remote attacker to execute arbitrary code remotely on the target system, by building and sending a specially crafted email, which would activate when opening using a vulnerable Outlook version and parsing the RTF payload. The root cause is related to improper validation of use-entered data, leading to memory corruption.

As a workaround, Microsoft recommends configuring Microsoft Outlook to read email messages “in plain text format” instead of a rich format that will display rich content, such as photos. Although the advisory has some value for security professionals, it is highly unlikely that users and/or organizations can implement this in real life (and in real time). So, patching to the latest version should be a priority for Outlook users.

CVE-2025-21308 is a Spoofing vulnerability affecting Windows Themes. Although this vulnerability was assigned a CVSS of 6.5 and is rated as Important, it’s important to note that it could be especially used in a social engineering type attack, as many users are interested in loading custom themes on their systems.

Successful exploitation of the vulnerability requires an attacker to build, distribute and convince the user to load a specially crafted file as part of the theme. A previous patch (CVE-2024-38030) was already released for this flaw, but it did not cover all possible angles, leading to the release of this new vulnerability and patch.

The vulnerable component is, again, NTLM. Microsoft provides additional guidance on how organizations can restrict outbound NTLM traffic to remote servers: Microsoft Advisory.

CVE-2025-21275 is an Elevation of Privilege vulnerability in the Microsoft Windows App Package Installer. It has a CVSS rating of 7.8 and it’s rated Important.

An authenticated attacker needs to perform the attack. Successful exploitation allows the attacker to get SYSTEM privilege, which means that this type of vulnerability is potentially used in the late stages of an attack after the initial compromise was performed through other means.

However, given that the Windows App Package Installer is a core component of Windows systems, closely interlinked with many other elements, it’s highly recommended that this vulnerability gets additional attention and action from the security and IT teams.

Complete list of Microsoft CVEs released this month:

Balbix Recommendations:

As always, you should patch everything as soon as possible… 😉 

But that’s a lot easier said than done. The strategy prioritizes what matters most and reduces the vulnerabilities with the greatest business impact. For this, organizations must improve how they measure, quantify, prioritize, and communicate risk. Balbix offers the following AI-powered capabilities:

#1 – CAASM > Understand your attack surface. An accurate & up-to-date inventory of on-premises, cloud, IoT/OT assets and software bill of materials (SBOM) is fundamental. Additionally, organizations need to understand:

• What are the material assets?
• Where are they located?
• What data/business context is associated with them?
• Do they have any existing security controls enabled?

#2 – RVBM > Prioritize and remediate critical vulnerabilities. Use severity, threat intelligence, asset exposure, compensating controls and business context to understand which vulnerabilities are exploited and the financial impact of it (if exploited) to your organization. Use this data to prioritize ruthlessly.

#3 – CRQ > Quantify Cyber Risk. Using a language that is easily understandable by all, i.e., monetary or currencies. It’s the only way to effectively communicate and compare risk across all different environments, software, geos, business units, etc.

But the true magic of Balbix happens when you put all these together:

The Balbix Platform started doing its homework as soon as vendors announced CVEs. No human interaction is needed. It’s all driven by AI. It learned about the new CVEs and the Cyber Threat Intelligence associated with each of them, and it correlated with each asset’s technical and business context to calculate the Balbix scores.

This way, Risk-Based Prioritization is already done, and Balbix customers can simply start a Patch Prioritization workflow and automatically get the latest KB that needs to be installed on a set of assets / OS.

This way, Balbix customers clearly understand the assets in scope, unique CVE detections, unique patches to be applied, etc., and most importantly, the priority in which patches need to be installed to burn down risk in the most efficient way possible.

If you want to learn more, please sign up for a Balbix demo.