Microsoft January Windows Updates Trigger Patch-Break-Patch Cycle and Emergency OOB Fixes
Microsoft’s January Windows security updates triggered an unusual patch-break-patch cycle that forced multiple out-of-band (OOB) releases after users reported significant regressions. Reporting indicates the Jan. 13 Patch Tuesday update (including KB5074109) was followed by an urgent Jan. 17 fix that introduced additional problems, leading to a second emergency OOB update on Jan. 24; impacts cited include Remote Desktop sign-in/authentication failures and broader stability issues such as Outlook freezing and file-system/compatibility problems affecting OneDrive and Dropbox integrations. Microsoft advised customers to move to the latest available update despite the disruption.
Separate analysis highlighted that Windows’ long-standing commitment to backwards compatibility continues to create persistent exposure and operational risk: many exploited-in-the-wild Microsoft zero-days in 2025 were elevation-of-privilege issues rooted in legacy components, reinforcing that “traditional” exploit chains and accumulated Windows tech debt remain a primary driver of both security and patching complexity. Taken together, the coverage underscores that Windows defenders face a dual challenge: rapid deployment of security fixes to reduce exploitation risk, while managing the real possibility that emergency remediation can itself introduce enterprise-impacting outages.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Microsoft releases second emergency update KB5078127
On 2026-01-24, Microsoft issued a second out-of-band update, KB5078127, to remediate the bugs introduced by the earlier emergency patch. Microsoft advised affected users to update to the latest version.
First emergency fix introduces OneDrive, Dropbox, and Outlook bugs
Following deployment of KB5077744, new issues were reported including file access problems involving OneDrive and Dropbox, as well as Outlook freezing and mail anomalies. The failed remediation forced Microsoft into a second emergency response.
Microsoft issues first emergency out-of-band fix KB5077744
On 2026-01-17, Microsoft released an out-of-band update, KB5077744, primarily targeting Windows 11 24H2 and 25H2 systems to address problems introduced by the January Patch Tuesday release. This marked the first emergency remediation in the month's patch cycle.
January Patch Tuesday update causes Remote Desktop and stability issues
After KB5074109 was deployed, users experienced Remote Desktop sign-in failures along with shutdown and hibernation problems. These regressions triggered the need for an out-of-band fix.
Microsoft releases January 2026 Patch Tuesday update KB5074109
On 2026-01-13, Microsoft issued its regular Patch Tuesday Windows update, KB5074109, to address multiple issues and vulnerabilities. The update later proved problematic for some users and systems.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft January Patch Tuesday Security Updates for Windows 10/11
Microsoft shipped its January Patch Tuesday security updates for **Windows 10** (including ESU/LTSC) and **Windows 11**, addressing a large set of vulnerabilities and rolling in additional platform hardening changes. Windows 10’s *KB5073724* (ESU) updates systems to build `19045.6809` (and LTSC 2021 to `19044.6809`) and includes security/bug fixes plus a phased update to handle **expiring Secure Boot certificates**; it also removes legacy **Agere modem drivers** (`agrsm64.sys`, `agrsm.sys`, `smserl64.sys`, `smserial.sys`), which can break dependent modem hardware. Windows 11 cumulative updates *KB5074109* (25H2/24H2) and *KB5073455* (23H2) are mandatory and include fixes for issues such as WSL mirrored networking failures (“No route to host”) impacting VPN access and RemoteApp connection failures in Azure Virtual Desktop environments. Third-party analysis of the same Patch Tuesday release reported **112 vulnerabilities** (with **8 marked critical**) and at least one vulnerability observed exploited in the wild: **CVE-2026-20805**. The critical issues highlighted include multiple **remote code execution** vulnerabilities across Windows components and Office applications (including **LSASS**, Word, Excel, and Office), plus **elevation of privilege** flaws such as **CVE-2026-20822** (Windows Graphics Component, use-after-free leading to potential SYSTEM privileges) and **CVE-2026-20854** (LSASS RCE over the network without requiring elevated privileges). Organizations should prioritize rapid deployment of the January Windows updates, with particular attention to exploited-in-the-wild items and critical RCE/EoP paths.
Mar 21, 2026
Microsoft January Patch Tuesday Fixes 114 Vulnerabilities Including Three Zero-Days
Microsoft’s January Patch Tuesday security updates addressed **114 vulnerabilities**, including **three zero-days** reported as publicly known and/or exploited. Reported issues span multiple Windows and Microsoft product components, including **Desktop Window Manager (DWM)**, legacy modem drivers, and core OS services, with a mix of **information disclosure**, **elevation of privilege (EoP)**, **security feature bypass**, and **remote code execution (RCE)** flaws. Technical highlights called out include **CVE-2023-31096** (Windows Agere Soft Modem Driver EoP), **CVE-2026-20805** (DWM information disclosure), and a **Secure Boot certificate expiration** security feature bypass (**CVE-2026-21265**). The update set also includes multiple **Office/Excel/Word RCE** vulnerabilities (e.g., **CVE-2026-20952**, **CVE-2026-20953**, **CVE-2026-20955**, **CVE-2026-20957**, **CVE-2026-20944**), Windows privilege-escalation issues (e.g., **Windows Graphics Component** and **VBS Enclave** EoP), and cloud/agent components such as **Azure Connected Machine Agent** (**CVE-2026-21224**) and **Azure Core shared client library for Python** (**CVE-2026-21226**).
Mar 21, 2026
Microsoft Issues Record Patch Tuesday With 206 Fixes and Multiple Zero-Day Risks
Microsoft released its largest Patch Tuesday update to date, fixing **206 vulnerabilities** across Windows, Office, Azure, Exchange, SharePoint, SQL Server, Visual Studio, Copilot-related offerings, and other products. Multiple reports said the release included **three publicly disclosed zero-days**, while Microsoft separately noted an earlier out-of-band fix for the actively exploited Microsoft Defender flaw `CVE-2026-41091`. Publicly disclosed issues in the June bundle included `CVE-2026-50507`, a **BitLocker** security feature bypass that could expose encrypted data with physical access and available proof-of-concept code, and `CVE-2026-45586`, a **Windows CTFMON** elevation-of-privilege flaw that could let a low-privileged local attacker gain **SYSTEM** access. JPCERT/CC also warned that Microsoft disclosed active exploitation of `CVE-2026-42897`, a spoofing flaw in **Microsoft Exchange Server**.
Jun 20, 2026