January 2026 Patch Tuesday: 112 CVEs, 8 Critical, 1 Exploited

Executive Summary

Microsoft’s January 2026 Patch Tuesday addresses 112 vulnerabilities across a wide array of Windows-based services and applications. Among them, eight are rated critical and one, CVE-2026-20805, is known to be actively exploited in the wild. This month’s threat intelligence report underscores a continuing pattern of remote code execution (RCE) and elevation of privilege (EoP) vulnerabilities targeting core components such as LSASS, Excel, Word, and VBS Enclave—all critical components in enterprise networks.

What Happened

On January 13, Microsoft issued patches for 112 CVEs across its product suite. Eight vulnerabilities were classified as critical, including six remote code execution bugs affecting Microsoft Word, Excel, Office, and the LSASS subsystem. Two others involve elevation of privilege in Windows Graphics components and the VBS Enclave.

CVE-2026-20805, an information disclosure flaw in the Desktop Window Manager, is confirmed as being exploited in the wild—though not publicly disclosed. This vulnerability, rated “important” by Microsoft, has a CVSS score of 5.5 and could expose sensitive data.

Cisco Talos simultaneously published updated Snort intrusion detection rules, aimed at helping defenders detect exploitation attempts of these vulnerabilities. Both Snort 2 and Snort 3 users are urged to update to the most recent rule sets.

Why This Matters for CISOs

Unpatched privilege escalation and remote code execution vulnerabilities increase the enterprise’s exposure to lateral movement, data theft, and service disruption. Malicious actors increasingly target productivity platforms like Office, Excel, and Word to exploit users through file-based attacks.

For CISOs, this represents more than a technical threat—it is a governance and compliance risk demanding alignment with broader vulnerability handling practices. Given the frequency with which Microsoft’s core services are targeted, this update reinforces the critical need for a robust patch management CISO strategy to reduce organizational attack surfaces.

Threat & Risk Analysis

The January bulletin highlights high-value exploitation pathways frequently leveraged in post-exploitation phases—including LSASS tampering, graphics-related SYSTEM access, and vulnerable Excel file parsing logic.

Attack Vectors

• File-based vectors enticing victims to open weaponized Word/Excel documents (CVE-2026-20944, CVE-2026-20955, CVE-2026-20957)
• Network-based RCE via LSASS and VBS Enclave vulnerabilities (CVE-2026-20854, CVE-2026-20876)
• Local privilege elevation via race conditions and heap overflows

Exposure Scenarios

• Endpoints running Microsoft Office with delayed patch deployment
• Users engaging with phishing attachments containing malformed files
• Systems using Windows virtualization features at scale (e.g., in cloud hosts or sandboxed environments)

Supply Chain Relevance
While these are not third-party software vulnerabilities per se, their presence in Office and Windows environments presents supply chain risk to any organization using OEM integrations or virtualized cloud infrastructure reliant on Microsoft’s baselines.

Attacker Motivations
These vulnerabilities offer both stealthy user impersonation capabilities and initial footholds. RCE plus EoP is a recipe for full domain takeover in a matter of minutes for capable APT or ransomware operators.

Potential Enterprise Impact

• Unauthorized administrative access
• Lateral movement across trust boundaries
• Regulatory noncompliance due to delayed or incomplete patching

For organizations maintaining hybrid AD/M365 infrastructure or relying on Microsoft Excel for data exchange, we recommend proactive review of all file-handling security rules.

Stay informed on developments via our daily cyber threat briefings and consider investing in a comprehensive patch management strategy.

MITRE ATT&CK Mapping

• T1203 — Exploitation for Client Execution
  Excel, Word, and Office file-based RCE allows attacker-controlled code execution via malicious documents.
• T1055 — Process Injection
  Vulnerabilities in LSASS could be used to inject into legitimate processes post-exploit.
• T1068 — Exploitation for Privilege Escalation
  Several bugs allow attackers to elevate privileges to SYSTEM or even VTL2.
• T1082 — System Information Discovery
  Exploitation of Desktop Window Manager may expose sensitive system data.
• T1105 — Ingress Tool Transfer
  Initial code execution from RCE may be used to stage secondary tooling in memory.
• T1078 — Valid Accounts
  Credential harvesting post-EoP could enable persistent access with stolen tokens.

Key Implications for Enterprise Security

• Users remain a critical vulnerability vector through document-based execution
• Hybrid cloud environments using VBS functions are exposed if patches are delayed
• “Important” vulnerabilities should not be deprioritized when exploited in the wild
• Detection without remediation is insufficient—exposure windows remain high

Recommended Defenses & Actions

Immediate (0–24h)

• Audit environment for unpatched affected components, especially Office, Excel, and Word
• Push out January Microsoft patches for critical flaws across all assets
• Update Snort 2 and Snort 3 rule sets if deployed; monitor release notes for changes

Short Term (1–7 days)

• Communicate risk of malicious document attachments to all end-users
• Validate EDR/NDR solutions detect post-exploitation behavior tied to LSASS, VBS Enclave
• Map CVEs back to affected business processes for granular risk staging

Strategic (30 days)

• Update patch SLAs to prioritize Microsoft Office and endpoint services
• Expand security awareness efforts regarding document-based phishing lures
• Conduct threat hunting using indicators derived from Snort rules and exploit signatures

Conclusion

This month’s Patch Tuesday again validates the risk posture created by latent RCE and EoP flaws within key enterprise tools. With exploitation of CVE-2026-20805 confirmed in the wild, CISOs cannot afford to deprioritize “important” vulnerabilities in remediation rollouts. A proactive, file-aware detection strategy tied into a timely vulnerability lifecycle process will be essential to navigating the evolving cyber threat landscape.