Technology giants Microsoft and Adobe started the year with a significant volume of security updates for their products. In January, both companies released several bulletins aimed at fixing a wide range of vulnerabilities, including critical flaws and an ongoing exploit.
This remediation effort, which traditionally takes place on the second Tuesday of the month, aims to protect millions of users and organizations around the world against potential cyber threats. This month’s package highlights the ongoing battle against malicious software and sophisticated attacks.
Specialists’ attention is focused on correcting vulnerabilities that, if not addressed, could compromise the integrity of systems. The rapid application of these patches is essential to mitigate risks and ensure digital security.
Adobe: Comprehensive fixes and priorities
Adobe released 11 bulletins this month, which address a total of 25 unique CVE vulnerabilities. Affected products include Dreamweaver, InDesign, Illustrator, InCopy, Bridge, the Substance 3D suite (Modeler, Stager, Painter, Sampler,
Among the updates, the fix for ColdFusion stands out for being classified as Prioridade 1, although there was no public knowledge or active attacks at the time of release. Este patch targets a single code execution flaw, underscoring the potential severity of the vulnerability if it were exploited.
Dreamweaver received fixes for five code execution vulnerabilities classified as Críticas, while InDesign also had five CVEs, with four of them also classified as Críticas. The Substance 3D suite, although with multiple fixes, had only a few classified as critical arbitrary code execution, as in Substance 3D Stager and Painter.
Most of the Adobe updates, with the exception of ColdFusion, were listed with deployment priority 3, indicating that, although important, they were not under active attack nor were they public knowledge at the time of their release.
Microsoft’s robust package for the year
Microsoft started the year with a massive release, revealing 112 new vulnerabilities (CVEs) in its systems and components, including Windows, Office, Azure, Microsoft Edge (based on Chromium), SharePoint Server, SQL Windows Management Services. With third-party updates to Chromium, the total CVEs rise to 114.
This high patch volume in January is not unusual, reflecting a common practice of vendors delaying certain updates during the holiday season. Tal strategy seeks to avoid significant interruptions if fixes cause compatibility issues or critical failures during a period of reduced availability of support teams.
Of the released fixes, eight were classified as Críticas, while the rest were categorized as Importantes. The diversity of vulnerabilities demonstrates the complexity of maintaining security in a software ecosystem as broad and interconnected as that of Microsoft.
Actively Exploited Vulnerability: Urgent Alert
One of the highlights of the Microsoft package is a vulnerability that is under active attack: CVE-2026-20805, an information disclosure flaw in Gerenciador of Janelas of Área of Trabalho. Embora Unusual for an information disclosure flaw to be exploited in real time, this vulnerability allows the leaking of addresses from remote ALPC port sections.
This information exposure is crucial as it allows attackers to use these addresses as a preliminary step in a broader exploitation chain. Geralmente, the ultimate goal is to achieve arbitrary code execution (RCE), making exploits more reliable and efficient. Microsoft did not detail the scope of the exploits, but the nature of the flaw suggests considerable risk to unpatched systems.
Notable flaws on Microsoft Office and other systems
Microsoft Office was once again the target of vulnerabilities, with CVE-2026-20952 and CVE-2026-20953 standing out as remote code execution (RCE) flaws. Estas vulnerabilities are of concern due to exploitation vectors involving the Painel of Visualização, allowing attacks without direct user interaction.
While there is no record of active exploits for these specific flaws yet, the recurrence of vulnerabilities in Painel of Visualização of Office indicates a persistent area of risk. Administradores can mitigate the danger by disabling Painel from Visualização, a preventative measure that, while not a definitive fix, prevents exploitation via this vector.
Another relevant flaw is CVE-2026-21265, a bypass vulnerability of the Secure Boot security feature due to certificate expiration. Embora the chance of exploitation is low, the potential for problems for administrators is high. Failure to update certificates may prevent devices using Secure Boot from receiving future security updates or trusting new boot loaders, exposing them to future risks.
In-depth analysis of important CVEs
The full list of Microsoft CVEs for January 2026 covers a wide range of issues. Entre critical flaws, in addition to those already mentioned in Office, include remote code execution vulnerabilities in Microsoft Excel and Word, elevation of privileges in the graphical component of Enclave of Segurança Baseada in Virtualização (VBS) of Windows.
VBS, a newer security feature of Windows, uses Níveis of Confiança Virtual (VTLs) to manage privileges. CVE-2026-20876 allows elevation of privileges to VTL2, currently the highest level, which poses a significant risk. Embora to
The significant vulnerabilities span nearly all services and components of Windows and Também There are remote code execution vulnerabilities in SharePoint Server, SQL Server, and Serviços of Implantação of Esta Wide distribution highlights the need for a robust and ongoing patching strategy by organizations.
Recommendations for IT administrators
Given the extensive volume of security updates released by Adobe and Microsoft, system administrators and IT teams should prioritize implementing these patches. The presence of an actively exploited vulnerability in Microsoft, along with several others classified as critical, makes immediate action imperative to protect digital infrastructures.
It is critical that organizations review the full list of CVEs and assess the potential impact in their specific environments. Testes in controlled environments prior to production deployment is a best practice to ensure compatibility and avoid operational disruptions. Além Additionally, disabling features like Painel of Visualização in high-risk environments can provide an extra layer of protection against zero-day or as-yet-unknown exploits.
Continuous vigilance for new threats and maintaining up-to-date systems are essential pillars in defending against cyber attacks. The January 2026 updates serve as a stark reminder of the constantly evolving threat landscape and the need for resilience and proactiveness in cybersecurity.