2025’s first Patch Tuesday: 159 patches, 8 zero-day fixes

Greg Lambert
January 21, 2025
6 minutes

Microsoft starts off 2025 with a hefty patch release, addressing eight zero-days with 159 patches for Windows, Microsoft Office and Visual Studio. Both Windows and Microsoft Office have “Patch Now” recommendations with no browser or Exchange patches for January. Microsoft has also released a significant servicing stack update (SSU) that changes how desktop and server platforms are updated, requiring additional testing effort on how MSI Installer, MSIX and AppX packages are installed, updated and uninstalled. 

To help navigate these changes to their platforms, the team from Readiness has provided a helpful infographic detailing the risks of deploying updates to each platform.

Known Issues 

The Readiness team has worked with both Citrix and Microsoft this month to detail the more impactful update issues affecting enterprise desktops, including:

  • Windows 10/11: Following the installation of the October 2024 security update, some customers report that the OpenSSH (Open Secure Shell) service fails to start, preventing SSH connections. The service fails without detailed logging, and manual intervention is required to run the sshd.exe process. Microsoft is investigating this issue with no (at the time of writing) published schedule for either mitigations or a resolution.

Citrix has reported significant issues with their Session Recording Agent (SRA) causing the Microsoft January update to fail to complete successfully. Microsoft has published a security bulletin (KB5050009) that offers, “Affected devices might initially download and apply the January 2025 Windows security update correctly, such as via the Windows Update page in Settings”. However, once this situation has been encountered the update process then stops and proceeds to roll-back to the original state. If you have the Citrix SRA installed, your device was (likely) not updated this January.

Major Revisions

For this first Patch Tuesday of 2025, we have the following revisions to previously released updates:

Microsoft has released CVE-2025-21224 this month to address two memory related security vulnerabilities in the legacy line printer daemon (LPD), a Windows feature that has been deprecated for 15 years. I can’t see things improving for these print-related functions (given the problems we have seen for the past decade). Maybe now is the time to start removing these legacy features from your platform.

Windows Lifecycle and Enforcement Updates 

The following Microsoft products will be retired this year:

Of course, we don’t need to mention the elephant in the room. Yes, Microsoft will end support for Windows 10 this October.

Each month, we analyze Microsoft’s updates across key product families—Windows, Office, and developer tools—to help you prioritize your patching efforts. This prescriptive, actionable, guidance is based on assessing a large application portfolio and a detailed analysis of the Microsoft patches and their potential impact on the Windows platforms and application installations.

For this January release cycle from Microsoft, we have grouped the critical updates and required testing efforts into different functional areas including:

Remote Desktop

This month has a heavy focus on Remote Desktop Gateway (RD Gateway) and network protocols, with the following testing guidance:

  • RD Gateway Connections: Ensure RD Gateway (RDG) continues to facilitate both UDP and TCP traffic seamlessly, without performance degradation. Try disconnecting RDG from an existing/established connection.
  • VPN, Wi-Fi, and Bluetooth Scenarios: Test end-to-end configurations and nearby sharing functionality.
  • DNS Management for Operators: Verify that users in the “Network Configuration Operators” group can manage DNS client settings effortlessly.

Local Windows File System and Storage

File system and storage components also see minor updates. Desktop and server file system testing efforts should focus on:

  • Offline Files and Mapped Drives: Test mapped network drives under both online and offline conditions. Pay close attention to Sync Center status updates.
  • BitLocker: Validate drive locking and unlocking, BitLocker-native boot scenarios, and post-hibernation states with BitLocker enabled.

Virtualization and Microsoft Hyper-V

Hyper-V and virtual machines receive lightweight updates this month:

  • Traffic Testing: Install the Hyper-V feature and restart systems. Monitor network performance and ensure no regressions in virtual network traffic or virtual machine management.

Security and Authentication

Key areas for security-related testing include:

  • Digest Authentication Stress Testing: Simulate heavy loads while using Digest authentication to uncover potential issues.
  • SPNEGO Negotiations: Verify Secure Negotiation Protocol (SPNEGO) functionalities in cross-domain or multi-forest Active Directory setups.
  • Authentication Scenarios: Test applications relying on LSASS processes and ensure protocols like Kerberos, NTLM, and certificate-based authentication remain stable under load.

Other Critical Updates

Some additional testing priorities for this release:

  • App Deployment Scenarios: Install and update MSIX/Appx packages with and without packaged services, confirming admin-only requirements for updates.
  • WebSocket Connections: Establish and monitor secure WebSocket connections, ensuring proper encryption and handshake results.
  • Graphics and Themes: Test GDI+-based apps and workflows involving theme files to ensure UI elements render correctly across different view modes. Some suggestions include foreign language applications that rely on Input Method Editors (IME’s).

January’s updates maintain a medium-risk profile for most systems, but testing remains essential—especially for networking, authentication, and file system scenarios. We recommend prioritizing remote network traffic validation, with light testing for storage and virtualization environments. If you have a large MSIX/Appx package portfolio, there is a lot of work to do to ensure that your package installs, updates and uninstalls successfully.

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings: 

  • Browsers (Microsoft IE and Edge) 
  • Microsoft Windows (both desktop and server) 
  • Microsoft Office
  • Microsoft Exchange and SQL Server 
  • Microsoft Developer Tools (Visual Studio and .NET)
  • Adobe (if you get this far) 

Browsers

No Microsoft browser updates for Patch Tuesday this month. Expect Chromium updates that will affect Microsoft Edge in the coming week. You can find the enterprise release schedule for Chromium here.

Microsoft Windows

This is a pretty large update for the Microsoft Windows ecosystem, with 124 patches for both desktops and servers, covering over 50 product/feature groups. We have highlighted some of the major areas of interest:

  • Fax/Telephony
  • MSI/AppX/Installer and the Windows update mechanisms
  • Windows COM/DCOM/OLE
  • Networking, Remote Desktop
  • Kerberos, Digital Certificates, BitLocker, Windows Boot Manager
  • Windows graphics (GDI) and Kernel drivers

Unfortunately, Windows security vulnerabilities CVE-2025-21275 and CVE-2025-21308 both affect core application functionality and have been publicly disclosed. Add these Windows updates to your “Patch Now” release schedule.

Microsoft Office

Microsoft Office attracts three critical rated updates, and a further 17 patches rated as important by Microsoft. Unusually, three Microsoft Office updates affecting Microsoft Access fall into the “zero-day” category with CVE-2025-21366, CVE-2025-21395 and CVE-2025-21186 publicly disclosed. Add these Microsoft updates to your “Patch Now” release calendar.

Microsoft Exchange and SQL Server

No updates from Microsoft for SQL Server or Microsoft Exchange servers this January. 

Microsoft Developer Tools (Visual Studio and .NET)

Microsoft has released seven updates which have been rated as important affecting Microsoft .NET and Visual Studio. Given the urgent attention required for Microsoft Office and Windows this month, you can add these standard, low-profile patches to your standard developer release schedule. 

Adobe and 3rd party updates

No Adobe related patches have been released by Microsoft this month. However, two 3rd-party, development related updates have been published by Microsoft affecting GitHub (CVE-2024-50338) and CERT CC patch (CVE-2024-7344). Both updates can be added to the standard developer release schedule.

Greg Lambert

CEO, Product Evangelist
Greg Lambert is the CEO and product evangelist for Application Readiness Inc. Greg is a co-founder of ChangeBASE and has considerable experience with application packaging technology and its deployment.

Planning business modernization projects?

  • Windows 10/11 migration
  • MS server 2022
  • Migration to Azure

Is your application estate ready?

Assurance.

Unbounded.

3 months of patch protection, assessments and dependency reports for your entire portfolio.

  • No cost
  • No limit of applications
  • No software needed
  • No infrastructure required
  • No obligation
Contact us to get started