Threat intel · 5 MIN READ · MATT JASTRAM AND BEN NAHORNEY · JAN 14, 2026 · TAGS: vulnerability prioritization
TL;DR
- January Patch Tuesday includes 112 CVEs, with 1 actively exploited zero-day vulnerabilities (CVE-2026-20805) that has been added to CISA’s KEV catalog.
- Check out our review of our 2025 exploit predictions: How did they stand the test of time?
- You can find all the 2025 vulnerability management blog posts below for reference
As we enter 2026, January’s Patch Tuesday has arrived. With many teams just gearing up for the new year, it’s essential to identify critical vulnerabilities to be proactive for the year. So while you’re strategizing for your team, here are a few CVEs we think deserve prioritization.
Patch Tuesday: January 13, 2026
This month’s release includes 112 CVEs, including one zero-day vulnerability, which is actively being exploited in the wild.
- Desktop Window Manager Information Disclosure Vulnerability (CVE-2026-20805): Despite the lower CVSS score (5.5/10), this memory leak vulnerability is under active exploitation according to Microsoft. On a system an attacker has gained a foothold, the vulnerability can be used to locate where various Windows functions are in memory by getting around ASLR randomization. They can then use other vulnerabilities to achieve remote code execution (RCE), privilege escalation, and more. Since the vulnerability is under active exploitation, CISA added it to the KEV catalog.
- Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability (CVE-2026-20868): This RCE vulnerability impacts systems running RRAS administration tools. To carry out a successful exploitation, an attacker must be authenticated on the domain and have a malicious RRAS server set up. If the attacker can trick a system user to connect to the malicious RRAS server, they can trigger a heap overflow leading to code execution on the vulnerable server.
- Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2026-20947): This SQL injection vulnerability in SharePoint allows for RCE. If an attacker logs into SharePoint with legitimate credentials, they can craft improperly sanitized SQL queries that would allow them to read, modify, and delete sensitive data in SharePoint’s database.
- Windows Server Update Service (WSUS) Remote Code Execution Vulnerability (CVE-2026-20856): This is an improper input validation vulnerability in WSUS allowing RCE through an adversary-in-the-middle attack. If an attacker manages to place themselves between either the endpoints and the WSUS server or the WSUS server and Microsoft Update Service, the vulnerability allows them to inject malicious payloads by modifying the update metadata or the binaries involved in the updates.
- Azure Connected Machine Agent Elevation of Privilege Vulnerability (CVE-2026-21224): This is a stack-based buffer overflow in Azure Connected Machine Agent. If an attacker has established access to an Azure Arc deployment they can use this vulnerability to gain SYSTEM level privileges.
2025 exploit predictions: How did our projections stand the test of time?
In 2025, the Common Vulnerabilities and Exposures (CVE) system generated 48,448 CVEs. The CVEs provide a reference method for publicly known information-security vulnerabilities and exposures in publicly released software packages.
Each month Microsoft publishes a massive list of CVEs on Patch Tuesday, which ranges from 50-150 CVEs. In 2025, we published a monthly blog post that primarily focused on what we projected would be the 3-5 highest exploit risk vulnerabilities.
Let’s take a look at our 2025 predictions. How did we do? Did we get it right, or wrong?
Throughout the year, we recommended expedited patching of 46 CVEs with strong exploitation risk factors. After analyzing those vulnerabilities we found:
- 63% of the recommended vulnerabilities have evidence of exploitation in the wild
- 39% of the recommended vulnerabilities are identified in the CISA KEV
- 24% have current EPSS scores higher than 5%
- 13% of CVEs we recommended patching have been weaponized by malware
- 6.5% of the CVEs have identified threat actors leveraging the vulnerability
- Of the 37% which were not weaponised, 59% were remote code execution (RCE) vulnerabilities; 24% were privilege escalation vulnerabilities.
Below are the overall details of CVEs we prioritized, including the month, vulnerability description, EPSS score, CISA KEV status, and exploit evidence.
| CVE | Descriptions | EPSS score (Percentage) | Included in CISA KEV? | Exploit evidence | |
|---|---|---|---|---|---|
| January | |||||
| 1 | CVE-2025-21309 | Windows remote desktop services remote code execution vulnerability | 0.70% | No | No |
| 2 | CVE-2025-21314 | Windows SmartScreen spoofing vulnerability | 0.33% | No | No |
| 3 | CVE-2025-21311 | Windows NTLM V1 Elevation of Privilege Vulnerability | 5.88% | No | Yes |
| February | |||||
| 4 | CVE-2025-21391 | Microsoft Windows Storage Elevation of Privilege Vulnerability | 2.27% | Yes | Yes |
| 5 | CVE-2025-21418 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | 8.74% | Yes | Yes |
| 6 | CVE-2025-21377 | NTLM Hash Disclosure Spoofing Vulnerability | 9.88% | No | Yes |
| March | |||||
| 7 | CVE-2025-26633 | Microsoft Management Console Security Feature Bypass Vulnerability | 8.77% | Yes | Yes; malware has weaponized this CVE and threat actors continue to leverage this CVE |
| 8 | CVE-2025-24983 | Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability | 0.66% | Yes | Yes; malware has weaponized this CVE |
| 9 | CVE-2025-24984 | Windows NTFS Information Disclosure Vulnerability | 4.97% | Yes | Yes; malware has weaponized this CVE |
| April | |||||
| 10 | CVE-2025-29824 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | 0.76% | Yes | Yes; malware has weaponized this CVE and used for ransomware |
| 11 | CVE-2025-2748 | Microsoft SQL Server Information Disclosure Vulnerability | 0.48% | No | No |
| 12 | CVE-2025-27482 | Windows Remote Desktop Services Remote Code Execution Vulnerabilities | 0.42% | No | No |
| 13 | CVE-2025-27472 | Windows Mark of the Web Security Feature Bypass Vulnerability | 1.12% | No | No |
| May | |||||
| 14 | CVE-2025-30397 | Scripting Engine Memory Corruption Vulnerability | 21.27% | Yes | Yes |
| 15 | CVE-2025-32701 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | 1.54% | Yes | Yes |
| 16 | CVE-2025-32706 | Windows Common Log File System Driver Elevation of Privilege Vulnerabilities | 1.30% | Yes | Yes |
| 17 | CVE-2025-30400 | Microsoft DWM Core Library Elevation of Privilege Vulnerability | 1.13% | Yes | Yes |
| 18 | CVE-2025-32709 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | 1.14% | Yes | Yes |
| 19 | CVE-2025-24063 | Kernel Streaming Service Driver Elevation of Privilege Vulnerability | 0.08% | No | Yes |
| 20 | CVE-2025-32702 | Visual Studio Remote Code Execution Vulnerability | 0.07% | No | No |
| June | |||||
| 21 | CVE-2025-33053 | Web Distributed Authoring and Versioning (WEBDAV) Remote Code Execution Vulnerability (RCE) | 29.54% | Yes | Yes; malware has weaponized this CVE |
| 22 | CVE-2025-33070 | Windows Netlogon Elevation of Privilege Vulnerability | 0.24% | No | No |
| 23 | CVE-2025-33071 | Windows KDC Proxy Service (KPSSVC) Remote Code Execution Vulnerability (RCE) | 0.20% | No | No |
| July | |||||
| 24 | CVE-2025-49719 | Microsoft SQL Server Information Disclosure Vulnerability | 0.48% | No | Yes |
| 25 | CVE-2025-47981 | SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Remote Code Execution Vulnerability | 0.42% | No | Yes |
| 26 | CVE-2025-49701 | Microsoft SharePoint Remote Code Execution Vulnerability | 0.37% | No | No |
| 27 | CVE-2025-49704 | Microsoft SharePoint Remote Code Execution Vulnerability | 70.30% | Yes | Yes |
| 28 | CVE-2025-49724 | Windows Connected Devices Platform Service Remote Code Execution Vulnerability | 0.18% | No | No |
| August | |||||
| 29 | CVE-2025-53779 | Windows Kerberos Elevation of Privilege Vulnerability | 0.29% | No | Yes |
| 30 | CVE-2025-53786 | Microsoft Exchange Server Hybrid Deployment Elevation of Privilege Vulnerability | 0.09% | No | Yes |
| 31 | CVE-2025-53778 | Critical Windows NTLM Elevation of Privilege Vulnerability | 0.19% | No | No |
| 32 | CVE-2025-50177 | Critical Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability | 0.10% | No | No |
| September | |||||
| 33 | CVE-2025-54918 | Windows NTLM Elevation of Privilege Vulnerability | 0.22% | No | Yes |
| 34 | CVE-2025-55234 | Windows SMB Elevation of Privilege Vulnerability | 0.99% | No | Yes |
| 35 | CVE-2025-54110 | Windows Kernel Elevation of Privilege Vulnerability | 0.09% | No | No |
| October | |||||
| 36 | CVE-2025-24990 | Windows Agere Modem Driver Elevation of Privilege Vulnerability | 6.15% | Yes | Yes |
| 37 | CVE-2025-59230 | Windows Remote Access Connection Manager Elevation of Privilege Vulnerability | 9.53% | Yes | Yes |
| 38 | CVE-2025-59287 | Windows Server Update Service (WSUS) Remote Code Execution Vulnerability | 74.66% | Yes | Yes; malware has weaponized this CVE and public exploitation exists |
| November | |||||
| 39 | CVE-2025-62215 | Windows Kernel Elevation of Privilege Vulnerability | 0.67% | Yes | Yes |
| 40 | CVE-2025-60724 | GDI+ Remote Code Execution Vulnerability | 0.14% | No | No |
| 41 | CVE-2025-62199 | Microsoft Office Remote Code Execution Vulnerability | 0.46% | No | No |
| 42 | CVE-2025-59499 | Microsoft SQL Server Elevation of Privilege Vulnerability | 0.10% | No | No |
| December | |||||
| 43 | CVE-2025-62221 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability | 3.27% | Yes | Yes |
| 44 | CVE-2025-64671 | GitHub Copilot for Jetbrains Remote Code Execution Vulnerability | 0.13% | No | Yes |
| 45 | CVE-2025-54100 | PowerShell Remote Code Execution Vulnerability | 0.21% | No | Yes |
| 46 | CVE-2025-64678 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | 0.07% | No | No |
Overall, 63% of the CVEs we identified demonstrated some level of exploit evidence. That’s not bad for quickly identifying and selecting a handful of vulnerabilities per month. We strongly recommend you leverage the list to ensure you’ve addressed the exploited CVEs —leaving those to chance is not recommended.
For the 37% with no current exploit evidence risk, we did have a few conclusions. For those remaining CVEs, 59% of them were RCE vulnerabilities which carry the highest risk threat, and 24% were privilege escalations, which also have a high risk if leveraged. Time will reveal the probability, so we’ll see what 2026 brings!
Here are links to all of the 2025 blogs:
- https://expel.com/blog/patch-tuesday-roundup-for-january-2025/
- https://expel.com/blog/patch-tuesday-roundup-for-february-2025/
- https://expel.com/blog/patch-tuesday-expels-version-march-2025/
- <https://expel.com/blog/patch-tuesday-expels-version-april-2025/
- https://expel.com/blog/patch-tuesday-expels-version-may-2025/
- https://expel.com/blog/patch-tuesday-june-2025-expels-version/
- https://expel.com/blog/patch-tuesday-july-2025-expels-version/
- https://expel.com/blog/patch-tuesday-august-2025-expels-version/
- https://expel.com/blog/patch-tuesday-september-2025-expels-version/
- https://expel.com/blog/patch-tuesday-october-2025-expels-version/
- https://expel.com/blog/patch-tuesday-november-2025-expels-version/
- https://expel.com/blog/patch-tuesday-december-2025-expels-version/
