{"id":15464,"date":"2026-01-14T01:51:52","date_gmt":"2026-01-14T01:51:52","guid":{"rendered":"https:\/\/newestek.com\/?p=15464"},"modified":"2026-01-14T01:51:52","modified_gmt":"2026-01-14T01:51:52","slug":"january-2026-microsoft-patch-tuesday-actively-exploited-zero-day-needs-attention","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15464","title":{"rendered":"January 2026 Microsoft Patch Tuesday: Actively exploited zero day needs attention"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

Eight critical vulnerabilities and an actively exploited zero day highlight Microsoft\u2019s first Patch Tuesday announcements for 2026<\/a>.<\/p>\n

Most of the higher scoring vulnerabilities impact Office products, with two holes in SharePoint scoring an 8.8 on the CVSS scale.<\/p>\n

\u201cLast year\u2019s abuse of SharePoint by Chinese APTs to deploy ToolShell against organizations should serve as a warning that SharePoint- and Office-related vulnerabilities can quickly become popular with threat actors,\u201d noted Nick Carroll<\/a>, cyber incident response manager at Nightwing.\u00a0<\/p>\n

The other vulnerability that scored a CVSS rating of 8.8 is CVE-2026-20868<\/a> for the Windows Routing and Remote Access Service. This is a heap-based buffer overflow that allows an unauthorized attacker to execute code over a network. There\u2019s also a patch for a lower-scoring hole in this service (CVE-2026-20843<\/a>) that allows an elevation of privilege.<\/p>\n

Desktop Windows Manager<\/h2>\n

Arguably, the vulnerability that should draw the attention of CSOs is CVE-2026-20805<\/a>, because it\u2019s already being exploited. No public proof-of-concept code has been disclosed. It is a hole in Desktop Windows Manager (DWM) that allows a locally authenticated attacker to view information in memory to help them weaken system protections, and from that go deeper into IT systems that rely on DWM.<\/p>\n

Exploitation requires local access with low privileges and no user interaction, note researchers at Action1<\/a>, making it feasible for attackers already present on a system.<\/p>\n

For organizations, this vulnerability increases the risk of successful multi-stage attacks, said Jack Bicer<\/a>, director of vulnerability research at Action1. Leaked memory details can be combined with other vulnerabilities to achieve privilege escalation or allow data theft, potentially leading to broader system compromise, regulatory exposure, and loss of trust.<\/p>\n

If the patch can\u2019t be applied immediately, he said, admins should limit local access, enforce least-privilege policies, and closely monitor systems for suspicious local activity.<\/p>\n

\u201cFrom a risk perspective, this issue materially increases the success rate of follow on exploits,\u201d warned Bicer, \u201cand should be viewed as an attack enabler rather than a standalone flaw.\u201d<\/p>\n

Satnam Narang<\/a>, senior staff research engineer at Tenable, called DWM a \u201cfrequent flyer\u201d on Patch Tuesday, with 20 CVEs patched in this library since 2022. But, he added, this is the first time researchers have seen an information disclosure bug in this component exploited in the wild.<\/p>\n

More priorities<\/h2>\n

Executives should also prioritize rapid patching and risk reduction efforts this month around the Windows Local Security Authority Subsystem Service Remote Code Execution, Windows Graphics Component Elevation of Privilege, and Windows Virtualization Based Security Enclave Elevation of Privilege flaws, Bicer said, as these vulnerabilities directly enable full system or trust boundary compromise.<\/p>\n

Strategic focus should include accelerating patch deployment for critical and important flaws, reducing unnecessary local access, hardening authentication paths, and closely monitoring for abnormal privilege escalation behavior, Bicer said.<\/p>\n

\u201cThe Desktop Window Manager Information Disclosure should be addressed in parallel due to confirmed exploitation and its role in enabling chained attacks,\u201d he added.<\/p>\n

Secure Boot certificates<\/h2>\n

Security experts also drew attention to Microsoft\u2019s warning that certain Secure Boot certificates issued in 2011 will expire in June or October unless updates included in the January patches are installed. Details are included in CVE-2026-21265<\/a>. Secure Boot prevents malicious code from loading during the Windows startup process; systems not updated in time may become vulnerable to Secure Boot bypasses.<\/p>\n

Chris Goettl<\/a>, vice-president of product management at Ivanti, called this \u201ca ticking time bomb for enterprise security that IT teams need to act on now before facing serious operational issues.\u201d<\/p>\n

Additionally, Tyler Reguly<\/a>, associate director of security R&D at Fortra, noted that the Microsoft documentation of fixes for the expiring certificates isn\u2019t a single page, but contains a multitude of links \u2013 including an entire deployment playbook for IT professionals. \u201cWith less than half a year to prepare, it is time to ensure that environments and teams are prepared for this update,\u201d he said.<\/p>\n

More likely for exploit<\/h2>\n

Reguly also said one of the more interesting updates this month is a fix for a Windows Agere Soft Modem Driver elevation of privilege (CVE-2023-31096) issue. \u201cIt is not often that you see a CVE from three years ago show up, but Microsoft is finally cleaning up a problem that has been around for a while,\u201d he said. This driver ships with Microsoft Windows, but according to a post about this vulnerability<\/a>, the driver has been end of life since 2016. The solution to this vulnerability is simply to remove the impacted drivers, agrsm64.sys<\/em> and agrsm.sys<\/em>, from systems.<\/p>\n

Nick Carroll<\/a> of Nightwing says security leaders should pay attention to patching vulnerabilities that Microsoft says are more likely to be exploited. These are:<\/p>\n