Full Report
Microsoft kicked off 2025 with a new set of patches for a total of 161 security vulnerabilities across its software portfolio, including three zero-days that have been actively exploited in attacks. Of the 161 flaws, 11 are rated Critical, and 149 are rated Important in severity. One other flaw, a non-Microsoft CVE related to a Windows Secure Boot bypass (CVE-2024-7344), has not been assigned
Analysis Summary
# Vulnerability: January 2025 Patch Summary Highlighting Exploited Hyper-V Flaws
## CVE Details
This summary highlights specific high-profile CVEs mentioned in the January 2025 patch release, including three actively exploited zero-days.
- CVE ID: CVE-2025-21333, CVE-2025-21334, CVE-2025-21335 (Windows Hyper-V NT Kernel Integration VSP)
- CVSS Score: 7.8 (Medium/High, specific severity varies based on MSRC classification relative to other Critical flaws)
- CWE: Not specified in detail for all, but the Hyper-V flaws are likely related to kernel/privilege escalation.
**Other Notable CVEs:**
* **CVE-2025-21186, CVE-2025-21366, CVE-2025-21395** (Microsoft Access RCE) - CVSS: 7.8
* **CVE-2025-21275** (Windows App Package Installer EoP) - CVSS: 7.8
* **CVE-2025-21308** (Windows Themes Spoofing/NTLM Disclosure) - CVSS: 6.5
* **CVE-2025-21294, CVE-2025-21295** (Digest Auth RCE, NEGOEX RCE) - CVSS: 8.1
* **CVE-2025-21298** (Windows OLE RCE) - CVSS: 9.8
## Affected Systems
- **Products:** Microsoft Windows (specifically Hyper-V installations), Microsoft Access, Windows OS components (App Package Installer, Themes, Authentication mechanisms like Digest/NEGOEX, OLE).
- **Versions:** Not explicitly listed in the summary, but applies to products receiving the January 2025 security updates.
- **Configurations:** Hyper-V workloads are specifically affected by CVE-2025-21333/334/335. RCE flaws often require user interaction (e.g., opening malicious files) unless otherwise specified.
## Vulnerability Description
The most critical findings involved three zero-day vulnerabilities in the **Windows Hyper-V NT Kernel Integration VSP** (Virtualization Service Provider). These flaws reside in the root partition and interact with child partitions via the VMBus, presenting a significant security boundary concern. Successful exploitation allows an attacker to gain **SYSTEM privileges** on the host system, indicating a severe privilege escalation vector.
Several other vulnerabilities detailed include:
1. **Microsoft Access RCE:** Flaws that allow remote code execution when a user opens a specially crafted file.
2. **Windows OLE RCE (CVE-2025-21298):** A critical flaw rated 9.8 severity.
## Exploitation
- **Status (Hyper-V Flaws):** **Exploited in the wild** (Designated as a CISA KEV).
- **Status (Other Major Flaws):** Five flaws were **publicly known** prior to patching.
- **Complexity (Hyper-V Flaws):** Likely Medium/High, requiring control over a Hyper-V environment or a high-privilege starting point, given the SYSTEM escalation goal.
- **Attack Vector (Hyper-V Flaws):** Likely Adjacent/Local after initial access, as these are privilege escalation bugs often used post-compromise, though the means of triggering the VSP issue is not detailed. RCE flaws (e.g., Access) often have a Network/Local attack vector contingent on user interaction.
## Impact
- **Confidentiality:** High (SYSTEM access allows data exfiltration).
- **Integrity:** High (SYSTEM access allows modification/destruction of system data).
- **Availability:** High (SYSTEM access allows system denial of service).
## Remediation
### Patches
Microsoft released a total of 161 security updates in January 2025. Specific patches/updates corresponding to the CVEs listed above are mandatory. Users should consult the January 2025 Microsoft Update Guide for the specific rollups containing these fixes.
### Workarounds
No specific workarounds are detailed in the summarized article, but immediate patching is strongly recommended for the actively exploited Hyper-V vulnerabilities.
## Detection
- **Indicators of Compromise:** Not specified, but look for unusual activity or system crashes related to the Hyper-V VMBus/VSP interaction if the systems are not immediately patched.
- **Detection Methods and Tools:** CISA has added the three Hyper-V vulnerabilities to its **Known Exploited Vulnerabilities (KEV) catalog**, requiring federal agencies to patch by February 4, 2025. Organizations should prioritize scanning for systems lacking the January 2025 security updates.
## References
- Vendor Advisory: [MSRC January 2025 Release Notes](https://msrc.microsoft.com/update-guide/releaseNote/2025-Jan)
- CISA KEV Addition: [CISA Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) (Search for relevant CVEs)
- Research Context: [ZDI January 2025 Security Update Review](https://www.zerodayinitiative.com/blog/2025/1/14/the-january-2025-security-update-review)
- Exploitation Context: [Action1 Patch Tuesday Analysis](https://www.action1.com/patch-tuesday-january-2025/)