Security Bulletin

January 15, 2026

Overview:

Microsoft’s January 13, 2026 Patch Tuesday addressed ~114 vulnerabilities (counts vary slightly by tracker methodology), including one actively exploited zero-day, two publicly disclosed zero-days, and eight critical issues.

Vulnerability Category Breakdown:

• Elevation of Privilege (EoP): ~57 vulnerabilities (~50%)

• Remote Code Execution (RCE): ~22 vulnerabilities (~19%)

• Information Disclosure: ~22 vulnerabilities (~19%)

• Security Feature Bypass: ~3 vulnerabilities

• Denial of Service (DoS): ~2 vulnerabilities

• Spoofing: ~5 vulnerabilities

Top 5:

1) CVE-2026-20805: Windows Desktop Window Manager (DWM) Information Disclosure (Exploited in the wild / zero-day)

• Why it matters: This one is confirmed exploited, and while it’s “only” info disclosure, these bugs are often used to make other exploits reliable.

• Affected systems: Windows endpoints and servers running the Desktop Window Manager component (most Windows client systems; many server systems depending on configuration).

• Pivotalogic Priority Rating: SHUT IT DOWN - treat as “patch now,” especially for high-risk user populations and internet-exposed RDP/VDI environments.

2) CVE-2026-20952 & CVE-2026-20953: Microsoft Office Remote Code Execution (RCE) 

• Why it matters: RCE via malicious Office files is evergreen, but the spicy detail here: Preview Pane can be an attack vector, meaning the user may not need to open the document for the exploit path to trigger.

• Affected systems: Microsoft Office installations (user endpoints, terminal servers, shared jump boxes where Office exists).

• Pivotalogic Priority Rating: SHUT IT DOWN - Patch applicable systems ASAP.

3) CVE-2026-20854: Windows LSASS Remote Code Execution

• Why it matters: Local Security Authority Subsystem Service (LSASS) is the backbone of Windows authentication. Bugs here are high-value because they can become privilege escalation, credential access, or domain-impacting footholds depending on exploitation context.

• Affected systems: Windows clients and servers (domain-joined systems deserve special attention).

• Pivotalogic Priority Rating: SHUT IT DOWN - Patch ASAP for servers and endpoints.

4) CVE-2026-20856: Windows Server Update Services (WSUS) Remote Code Execution

• Why it matters: WSUS is patching infrastructure. If an attacker lands RCE here, it’s not just “a server got popped” — it can become a software distribution / trust problem. Multiple sources describe this as a network-exploitable RCE.

• Affected systems: Windows Server systems running the WSUS role.

• Pivotalogic Priority Rating: SHUT IT DOWN - Apply patch immediately to internet facing and high-risk WSUS servers.

5) CVE-2026-20840 & CVE-2026-20922: Windows NTFS Remote Code Execution

• Why it matters: NTFS bugs have nasty reach because they can be triggered through how systems parse file system data. Tenable highlights both as heap-based buffer overflow issues and notes Microsoft assessed them as “Exploitation More Likely.”

• Affected systems: Windows endpoints and servers using NTFS (i.e., almost everything Windows).

• Pivotalogic Priority Rating: Yikes! - Apply patch to applicable systems within 1 week, 72 hours for higher risk systems/environments.

Pivotalogic Priority Rating Scale:

💥SHUT IT DOWN (not literally) = Critical

🚨Yikes! = High

⚠️Welp. = Medium

💡Eh = Low

Full Microsoft release notes HERE