157 CVEs addressed, ten rated as critical.
Microsoft addressed 157 CVEs in the first Patch Tuesday release of 2025, in the largest ever Patch Tuesday update.
According to analysis from Tenable, of the 157 CVEs addressed, ten were rated as critical, and 147 rated as important.
Several of the vulnerabilities allowed remote code execution, affecting Windows Remote Desktop Services. This included CVE-2025-21309 which was assigned a score of 8.1 and was assessed as “Exploitation More Likely” according to Microsoft’s Exploitability Index.
Zero Days
Three of the vulnerabilities are under active attack: CVE-2025-21333, CVE-2025-21334 and CVE-2025-21335. Tenable reports that these are elevation of privilege vulnerabilities in the Windows Hyper-V NT Kernel Integration Virtualization Service Provider (VSP).
“All three vulnerabilities were assigned a CVSSv3 score of 7.8 and rated important,” the security response team said. “An authenticated, local attacker could exploit this vulnerability to elevate privileges to SYSTEM.”
While Microsoft report that all three vulnerabilities have been exploited in the wild as zero-days, there are no specific details about the in the wild exploitation currently.
In an email to SC UK, Satnam Narang, senior staff research engineer at Tenable, said: "
"Little is known about the in-the-wild exploitation of these flaws. As elevation of privilege bugs, they’re being used as part of post-compromise activity, where an attacker has already accessed a target system. It’s kind of like if an attacker is able to enter a secure building, they’re unable to access more secure parts of the facility because they have to prove that they have clearance. In this case, they’re able to trick the system into believing they should have clearance.
"More often than not, we see a lot of elevation of privilege bugs exploited in the wild as zero-days in Patch Tuesday because it’s not always initial access to a system that’s a challenge for attackers as they have various avenues in their pursuit."
Narang said that 2023 and 2024 Patch Tuesday releases included 45 zero days exploited in the wild. Elevation of privilege flaws took the crown each year, accounting for 19 in total–or 42 percent.
Adobe Patches
Adobe also released its own set of patches on Tuesday, addressing a total of 14 CVE-listed flaws in Photoshop, Substance 3D Stager, Illustrator on iPad, Animate, and Substance 3D Designer.
Of those, five were listed as critical allowing for remote code execution, though none of the flaws are currently being actively targeted.
Written by
Dan Raywood
Senior Editor
SC Media UK
Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.
Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.