Microsoft fixes actively exploited Windows Hyper-V zero-day flaws - Help Net Security

Microsoft fixes actively exploited Windows Hyper-V zero-day flaws - Help Net Security

Microsoft January 2025 Patch Tuesday: Windows Hyper-V Zero-Day Exploits and Other Critical Fixes

On January 14, 2025, Microsoft released its first Patch Tuesday updates of the year, addressing a significant number of vulnerabilities, including several critical and actively exploited zero-day flaws affecting Windows Hyper-V.

Windows Hyper-V Zero-Day Exploits

The most pressing concerns are three actively exploited zero-day vulnerabilities in Windows Hyper-V:

  • CVE-2025-21333: This vulnerability is an elevation of privilege issue in the Windows Hyper-V NT Kernel Integration VSP. It allows attackers to gain SYSTEM privileges on Windows devices125.
  • CVE-2025-21334: Another elevation of privilege vulnerability in the same component, which could be exploited similarly to CVE-2025-21333125.
  • CVE-2025-21335: The third vulnerability also affects the Windows Hyper-V NT Kernel Integration VSP, enabling attackers to elevate privileges on the system125.

These vulnerabilities were likely discovered through related attack patterns, although specific exploitation details remain undisclosed.

Overall Patch Tuesday Details

Number and Severity of Vulnerabilities

Microsoft addressed a total of 159 vulnerabilities in this update, including:

  • Eight zero-day vulnerabilities, with three of them (the Hyper-V vulnerabilities mentioned above) being actively exploited in the wild123.
  • Twelve vulnerabilities classified as "Critical", which include several remote code execution (RCE) flaws12.
  • Other vulnerabilities: The patch includes fixes for 58 RCE flaws, 40 elevation of privilege issues, 24 information disclosure vulnerabilities, 20 denial of service problems, 14 security feature bypass vulnerabilities, and 5 spoofing vulnerabilities1.

Notable Vulnerabilities

  • CVE-2025-21275: A Windows App Package Installer elevation of privilege vulnerability that was publicly disclosed1.
  • CVE-2025-21308: A Windows Themes spoofing vulnerability discovered by Blaz Satler of 0patch by ACROS Security, which could expose NTLM credentials to attackers when users view specially crafted Theme files in Windows Explorer1.
  • Microsoft Access RCE Vulnerabilities: Three RCE vulnerabilities in Microsoft Access (CVE-2025-21186, CVE-2025-21366, and CVE-2025-21395) were also addressed. As a mitigation measure, Microsoft is now blocking various Access document types (.accdb, .accde, .accdw, .accdt, .accda, .accdr, and .accdu) when received via email1.

Additional Critical Vulnerabilities

Other critical vulnerabilities fixed in this update include:

  • CVE-2025-21362 & CVE-2025-21354: RCE vulnerabilities in Microsoft Excel that allow arbitrary code execution if a user opens a specially crafted file2.
  • CVE-2025-21311: A critical vulnerability in Windows NTLM V1 that could allow privilege escalation2.
  • CVE-2025-21309 & CVE-2025-21297: RCE vulnerabilities in Windows Remote Desktop Services2.
  • CVE-2025-21307: An RCE vulnerability affecting the Reliable Multicast Transport Driver (RMCAST)2.

Installation and Availability

The updates can be obtained through various channels:

  • Windows Update: Users can check for updates via the Settings > Windows Update menu1.
  • Microsoft Update Catalog: Updates are available for download from the catalog1.
  • Windows Server Update Services (WSUS): Updates can also be deployed via WSUS1.

Affected Versions

The patches are applicable to all users of the still fully supported versions of Windows 10 and Windows 11, including specific builds for different versions such as Windows 10 Version 21H2, 22H2, 1809, and 1607 (Windows Server 2016)1.

Conclusion

The January 2025 Patch Tuesday update is significant due to the large number of vulnerabilities addressed and the critical nature of the fixes, particularly the three actively exploited zero-day vulnerabilities in Windows Hyper-V. These updates are crucial for maintaining the security and integrity of Windows systems and related software. Organizations and users are advised to apply these patches promptly to mitigate potential threats.