Current events · 2 MIN READ · MATT JASTRAM · JAN 15, 2025 · TAGS: vulnerability prioritization
TL;DR
- January had more CVEs than we saw in December
- We’ve highlighted a few CVEs that you should focus on remediating ASAP
- Both CVEs can be resolved by updating your Microsoft tools based on their provided recommendations
New Year’s resolutions: Microsoft published 159 CVEs
For January’s Patch Tuesday, our team took a look at the 159 CVEs released in January. Very little exploitation evidence currently exists, but below are a few suggested CVEs to remediate based on our team’s analysis.
To address risky vulnerabilities, Expel focuses 100% on CVEs with actual exploitation risk. Although we conduct a monthly review of Microsoft’s massive CVE list, we recognize only a small percentage will ever be leveraged by threat actors. Our goal is to ensure our customers’ remediation is focused, and significantly reduce their level of effort.
- Windows remote desktop services remote code execution vulnerability: Our SOC analysts continue to see attackers target remote desktop service (RDS) features to actively pivot in infrastructure environments. Existence of the CVE-2025-21309 vulnerability in an environment introduces substantial risk due to the large volume of system infrastructure a user can gain access to via RDS. An attacker—with solid reconnaissance—could trick a user to take action, and then with the remote desktop gateway role leverage a race condition (within an application or system) to perform remote code execution. Expel recommends taking steps to remediate this server-specific critical vulnerability, as it impacts thirteen Microsoft Windows server versions.
- Windows SmartScreen spoofing vulnerability: The Microsoft SmartScreen feature was developed to protect users from unsafe sites, and even prevent phishing attacks. However, an attacker could leverage this SmartScreen vulnerability via human weakness. The lure consists of a threat actor crafting a file to deceive a user, who then performs a single mouse-click on an executable file, and the attacker wins! Microsoft lists the CVE as ‘exploitation more likely.’ We recommend remediating the CVE-2025-21314 vulnerability as it impacts 25 Microsoft operating systems and server versions.
- Windows NTLM V1 elevation of privilege vulnerability: New Technology LAN Manager (NLTM) is a suite of authentication protocols developed by Microsoft to verify user identities on a network. Attackers could leverage this network vulnerability with very little prior system knowledge, which is why vulnerability CVE-2025-21311 has the highest (9.8) score this month. With our managed detection and response (MDR) monitoring, we’re continuing to see threat actors attempt NTLM credential theft. Once an attacker gains basic access, they could use this NTLM privilege escalation vulnerability to increase access to a victim’s system. Please take steps to remediate this vulnerability that impacts Microsoft Windows 11, and other server versions.
That’s it for this month. If you have any questions about these specific vulnerabilities (or others on the Patch Tuesday list)—or if you’re interested in learning how Expel Vulnerability Prioritization can give you context for your own environment—get in touch.
