The 159 new CVEs (Common Vulnerabilities and Exposures) is the ‘largest number of CVEs addressed in any single month since at least 2017,’ writes Trend Micro’s Dustin Childs.
Microsoft disclosed updates Tuesday that fix 11 critical vulnerabilities while addressing the largest number of new CVEs (Common Vulnerabilities and Exposures) seen in a monthly patch release in years, according to a Trend Micro researcher.
The tech giant fixed 159 new CVEs as part of its monthly release of software bug fixes, unofficially known as “Patch Tuesday.”
[Related: 10 Major Ransomware Attacks And Data Breaches In 2024]
That quantity of newly disclosed vulnerabilities is “largest number of CVEs addressed in any single month since at least 2017,” wrote Dustin Childs, head of threat awareness for Trend Micro’s Zero Day Initiative, in a post Tuesday.
It’s also “more than double the usual amount of CVEs fixed in January,” Childs said.
Notably, “this comes on the heels of a record number of December patches and could be an ominous sign for patch levels in 2025,” he wrote.
CRN has reached out to Microsoft for comment.
As usual, the patches address vulnerabilities that affect numerous Microsoft product segments including Windows, Office, Azure, Hyper-V, SharePoint Server, .NET, Visual Studio, Remote Desktop Services, BitLocker and the Windows Virtual Trusted Platform Module.
Three of the flaws are listed by Microsoft as having been exploited—all of which are privilege escalation vulnerabilities impacting Windows Hyper-V. The flaws are tracked at CVE-2025-21333, CVE-2025-21334 and CVE-2025-21335.
The vulnerabilities “all have the same description,” Childs wrote. “An authenticated user could use these to execute code with SYSTEM privileges.”
Ultimately, “if you are running Hyper-V, make sure these patches are at the top of your list for testing and deployment,” he wrote.
