More priorities: Executives should also prioritize rapid patching and risk reduction efforts this month around the Windows Local Security Authority Subsystem Service Remote Code Execution, Windows Graphics Component Elevation of Privilege, and Windows Virtualization Based Security Enclave Elevation of Privilege flaws, Bicer said, as these vulnerabilities directly enable full system or trust boundary compromise.Strategic focus should include accelerating patch deployment for critical and important flaws, reducing unnecessary local access, hardening authentication paths, and closely monitoring for abnormal privilege escalation behavior, Bicer said.”The Desktop Window Manager Information Disclosure should be addressed in parallel due to confirmed exploitation and its role in enabling chained attacks,” he added.
Secure Boot certificates: Security experts also drew attention to Microsoft’s warning that certain Secure Boot certificates issued in 2011 will expire in June or October unless updates included in the January patches are installed. Details are included in CVE-2026-21265. Secure Boot prevents malicious code from loading during the Windows startup process; systems not updated in time may become vulnerable to Secure Boot bypasses.Chris Goettl, vice-president of product management at Ivanti, called this “a ticking time bomb for enterprise security that IT teams need to act on now before facing serious operational issues.”Additionally, Tyler Reguly, associate director of security R&D at Fortra, noted that the Microsoft documentation of fixes for the expiring certificates isn’t a single page, but contains a multitude of links including an entire deployment playbook for IT professionals. “With less than half a year to prepare, it is time to ensure that environments and teams are prepared for this update,” he said.
More likely for exploit: Reguly also said one of the more interesting updates this month is a fix for a Windows Agere Soft Modem Driver elevation of privilege (CVE-2023-31096) issue. “It is not often that you see a CVE from three years ago show up, but Microsoft is finally cleaning up a problem that has been around for a while,” he said. This driver ships with Microsoft Windows, but according to a post about this vulnerability, the driver has been end of life since 2016. The solution to this vulnerability is simply to remove the impacted drivers, agrsm64.sys and agrsm.sys, from systems.Nick Carroll of Nightwing says security leaders should pay attention to patching vulnerabilities that Microsoft says are more likely to be exploited. These are:
an improper handling of permissions in Windows Error Reporting (CVE-2026-20817) that could allow an authorized attacker to elevate privileges locally; a buffer overflow in Windows Common Log File System Driver (CVE-2026-20820) that could lead to an authorized attacker to elevate privileges locally; a buffer overflow that could lead to remote code attacks in Windows NTFS (CVE-2026-20840).This is one of two NTFS issues flagged this month, noted Kev Breen, senior director of cyber threat research at Immersive. If technical details are made public, this could become an n-day vulnerability, he warned, creating a narrow window in which IT can apply patches before exploitation becomes widespread; an issue with Windows Ancillary Function Driver for WinSock that can let an authorized attacker elevate privileges locally (CVE-2026-20860); an elevation of privilege issue in Desktop Windows Manager (CVE-2026-20871); a remote code execution vulnerability in Windows NTFS (CVE-2026-20922).
SAP updates: Separately, SAP released 19 new or updated security patches, including six HotNews Notes and four High Priority Notes. One of the most important is a critical SQL injection vulnerability in S/4HANA Private Cloud and On-Premise (Financials General Ledger), tagged with a CVSS score of 9.9. Exploitation can lead to full system compromise by low-privileged users. In addition, a code injection vulnerability, with a CVSS score of 9.1, was patched in S/4HANA Private Cloud and On-Premise.
Oracle and Mozilla: Researchers at Ivanti note that Mozilla released a trio of updates for Firefox and Firefox ESR resolving a total of 34 CVEs. All three updates have an Impact rating of High. Two of the CVEs are suspected to have been exploited (CVE-2026-0891 and CVE-2026-0892). Both are resolved in Firefox 147 (MFSA2026-01) and CVE-2026-0891 is resolved in Firefox ESR 140.7 (MFSA2026-03). Finally, researchers at Nightwing note that Oracle admins should be ready for the first of the company’s four major patch days a year, which this year falls on Tuesday January 20. There should be a pre-release announcement on January 15 that will help organizations prepare for what’s coming.
an improper handling of permissions in Windows Error Reporting (CVE-2026-20817) that could allow an authorized attacker to elevate privileges locally; a buffer overflow in Windows Common Log File System Driver (CVE-2026-20820) that could lead to an authorized attacker to elevate privileges locally; a buffer overflow that could lead to remote code attacks in Windows NTFS (CVE-2026-20840).This is one of two NTFS issues flagged this month, noted Kev Breen, senior director of cyber threat research at Immersive. If technical details are made public, this could become an n-day vulnerability, he warned, creating a narrow window in which IT can apply patches before exploitation becomes widespread; an issue with Windows Ancillary Function Driver for WinSock that can let an authorized attacker elevate privileges locally (CVE-2026-20860); an elevation of privilege issue in Desktop Windows Manager (CVE-2026-20871); a remote code execution vulnerability in Windows NTFS (CVE-2026-20922).
SAP updates: Separately, SAP released 19 new or updated security patches, including six HotNews Notes and four High Priority Notes. One of the most important is a critical SQL injection vulnerability in S/4HANA Private Cloud and On-Premise (Financials General Ledger), tagged with a CVSS score of 9.9. Exploitation can lead to full system compromise by low-privileged users. In addition, a code injection vulnerability, with a CVSS score of 9.1, was patched in S/4HANA Private Cloud and On-Premise.
Oracle and Mozilla: Researchers at Ivanti note that Mozilla released a trio of updates for Firefox and Firefox ESR resolving a total of 34 CVEs. All three updates have an Impact rating of High. Two of the CVEs are suspected to have been exploited (CVE-2026-0891 and CVE-2026-0892). Both are resolved in Firefox 147 (MFSA2026-01) and CVE-2026-0891 is resolved in Firefox ESR 140.7 (MFSA2026-03). Finally, researchers at Nightwing note that Oracle admins should be ready for the first of the company’s four major patch days a year, which this year falls on Tuesday January 20. There should be a pre-release announcement on January 15 that will help organizations prepare for what’s coming.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4116437/january-2026-microsoft-patch-tuesday-actively-exploited-zero-day-needs-attention.html
