Microsoft Patches Trio of Exploited Windows Hyper-V Zero-Days - SecurityWeek

Microsoft January 2025 Patch Tuesday: Hyper-V and Windows Zero-Day Exploits

Hyper-V Vulnerabilities

In the latest Microsoft Patch Tuesday for January 2025, several critical vulnerabilities affecting Microsoft Hyper-V have been addressed. Here are the key details:

• CVE-2025-21333, CVE-2025-21334, CVE-2025-21335: These are elevation of privilege vulnerabilities in the Windows Hyper-V NT Kernel Integration VSP. These vulnerabilities were actively exploited in attacks to gain SYSTEM privileges on Windows devices. The exploits allowed attackers to elevate their privileges, potentially giving them full system control. These vulnerabilities were disclosed anonymously, and their sequential CVE numbers suggest they were likely discovered or used in the same attacks15.

Windows Zero-Day Exploits

The January 2025 Patch Tuesday updates also include fixes for several zero-day vulnerabilities that were either actively exploited or publicly disclosed:

• Actively Exploited Zero-Days:

  • The three Hyper-V vulnerabilities mentioned above (CVE-2025-21333, CVE-2025-21334, CVE-2025-21335) were actively exploited to gain SYSTEM privileges.
  • Additionally, there is a zero-day vulnerability in the Windows App Package Installer (CVE-2025-21275), which could lead to an attacker gaining SYSTEM privileges. This vulnerability was also submitted anonymously15.

• Publicly Disclosed Zero-Days:

  • Besides the actively exploited vulnerabilities, there are five publicly disclosed zero-day vulnerabilities. One notable example is the Windows Themes Spoofing Vulnerability (CVE-2025-21308), although specific details on its exploitation are not provided in the latest updates1.

Other Critical Vulnerabilities

In addition to the Hyper-V and zero-day vulnerabilities, the January 2025 Patch Tuesday includes fixes for a wide range of other critical vulnerabilities:

• Remote Code Execution (RCE) Vulnerabilities: Several RCE vulnerabilities were patched, including those affecting Windows NTLM V1 (CVE-2025-21311), Windows Remote Desktop Services (CVE-2025-21309, CVE-2025-21297), Reliable Multicast Transport Driver (RMCAST) (CVE-2025-21307), and authentication mechanisms like SPNEGO and Digest Authentication (CVE-2025-21295, CVE-2025-21294)15.

• Elevation of Privilege and Information Disclosure: Other vulnerabilities include elevation of privilege flaws in components like the Windows Client-Side Caching (CSC) Service (CVE-2025-21378), Windows Cloud Files Mini Filter Driver (CVE-2025-21271), and information disclosure vulnerabilities such as the one in the Windows Cryptographic component (CVE-2025-21336)1.

Security Implications and Recommendations

Given the severity and active exploitation of these vulnerabilities, it is crucial for users to update their systems to the latest versions as soon as possible. The patches address a total of 159 vulnerabilities, including 12 classified as "Critical" and 8 zero-day vulnerabilities. Ensuring these updates are applied promptly will help prevent threat actors from exploiting these vulnerabilities to gain unauthorized access or execute malicious code15.

Historical Context and Comparison

In 2024, Microsoft faced significant security challenges, with 1,119 CVEs disclosed in Microsoft products, 53 of which were rated as critical severity (CVSS > 9.0), and 43 added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. This highlights the ongoing need for vigilant patch management and security updates2.

For more detailed information on the specific vulnerabilities and their exploitation methods, users can refer to Microsoft's official advisory and the comprehensive list of patched vulnerabilities provided by Microsoft15.