Full Report
Patch Tuesday saw Microsoft fix eight zero-days, three of which are being actively exploited
Analysis Summary
# Vulnerability: Microsoft Patches Eight Zero-Days, Including Actively Exploited Hyper-V Flaws
## CVE Details
* **CVE ID:** CVE-2025-21333, CVE-2025-21334, CVE-2025-21335 (Actively Exploited)
* **CVSS Score:** 7.8 (High - Assumed based on EoP classification with embedded services)
* **CWE:** Elevation of Privilege (EoP) for Hyper-V NT Kernel Integration VSP bugs
* **CVE ID:** CVE-2025-21275
* **CVSS Score:** Not specified (Publicly disclosed EoP)
* **CVE ID:** CVE-2025-21308
* **CVSS Score:** Not specified (Publicly disclosed Spoofing)
* **CVE ID:** CVE-2025-21186, CVE-2025-21366, CVE-2025-21395
* **CVSS Score:** Not specified (Publicly disclosed RCE in Microsoft Access)
* **CVE ID:** CVE-2025-21311
* **CVSS Score:** 9.8 (Critical - Highlighted critical CVE)
* **CWE:** Elevation of Privilege (EoP) in Windows NTLM V1
* **CVE ID:** CVE-2025-21307
* **CVSS Score:** 9.8 (Critical - Highlighted critical CVE)
* **CWE:** Remote Code Execution (RCE) in Windows RMCAST (unauthenticated)
* **CVE ID:** CVE-2025-21298
* **CVSS Score:** 9.8 (Critical - Highlighted critical CVE)
* **CWE:** Remote Code Execution (RCE) in Windows OLE
## Affected Systems
* **Products (Actively Exploited):** Windows (Specifically systems utilizing Hyper-V, including Windows 11).
* **Products (Publicly Disclosed):** Windows (App Package Installer, Themes, NTLM V1, RMCAST, OLE), Microsoft Access.
* **Versions:** Not explicitly detailed, but applies to affected versions of Windows and Microsoft Access prior to patching.
* **Configurations:** Hyper-V vulnerabilities are significant because Hyper-V is used for security features like Device Guard and Credential Guard.
## Vulnerability Description
Microsoft patched eight zero-day vulnerabilities, three of which were actively being exploited in the wild.
1. **Hyper-V NT Kernel Integration VSP EoP (CVE-2025-21333, -21334, -21335):** Flaws allowing a low-privileged attacker who already has host access to escalate privileges to system-level permissions. This enables disabling security tools or dumping credentials (e.g., via Mimikatz) for further lateral movement.
2. **Critical Flaws (9.8 Score):** Includes an NTLM V1 EoP bug (CVE-2025-21311), an unauthenticated RCE via Windows Reliable Multicast Transport Driver (RMCAST) when listening on a PGM port (CVE-2025-21307), and an RCE in Windows OLE (CVE-2025-21298).
3. **Other Zero-Days:** Includes an EoP in Windows App Package Installer, a spoofing vulnerability in Windows Themes, and three RCEs in Microsoft Access.
## Exploitation
* **Status:** CVE-2025-21333, CVE-2025-21334, and CVE-2025-21335 are confirmed to be **Exploited in the wild**. The other five zero-days are publicly disclosed but not reported as exploited.
* **Complexity:** The Hyper-V EoP flaws can be executed after an initial compromise (e.g., phishing), allowing high escalation. The RMCAST RCE appears to be unauthenticated.
* **Attack Vector:** Varies, but the Hyper-V EoP requires initial access to the host. Some RCEs suggest Network or Local vectors depending on the specific component.
## Impact
* **Confidentiality:** High (System-level access allows credential dumping and sensitive data access).
* **Integrity:** High (Ability to disable security tooling and tamper with system configuration).
* **Availability:** Medium to High (System compromise can lead to denial of service or ransomware deployment).
## Remediation
### Patches
* Security updates released by Microsoft to address all eight zero-day flaws (as part of their Patch Tuesday release). Organizations must deploy the corresponding security updates immediately.
### Workarounds
* No specific workarounds are mentioned in the summary for the actively exploited Hyper-V flaws, emphasizing immediate patching due to active exploitation.
## Detection
* **Indicators of Compromise:** Monitoring for post-exploitation activity such as credential dumping tools (like Mimikatz usage) or changes/disabling of security controls (Device Guard, Credential Guard) on systems hosting Hyper-V environments.
* **Detection Methods and Tools:** Given the severity and active exploitation, enhanced monitoring of Hyper-V integration service activity and kernel process execution paths is crucial while remediation is pending. Automated patch management is strongly advised due to the volume of CVEs released.
## References
* Vendor Advisories: Microsoft Security Update Guide (for the relevant month/date, implicitly Jan 2025 Patch Tuesday)
* Relevant links - defanged:
* [Infosecurity Magazine Article](https://www.infosecurity-magazine.com/news/microsoft-patches-eight-zerodays/)