Full Report
Microsoft’s monthly patches cover Hyper-V NT Kernel Integration VSPs, Git in Visual Studio, and more.
Analysis Summary
# Vulnerability: Elevation of Privilege in Windows Hyper-V and Critical RCE/EoP Flaws
## CVE Details
- CVE ID: CVE-2025-21333, CVE-2025-21334, CVE-2025-21335 (Windows Hyper-V NT Kernel Integration VSP EoP); CVE-2025-21298 (OLE RCE); CVE-2025-21311 (NTLMv1 EoP); CVE-2025-21307 (Win RMT RCE)
- CVSS Score: 9.8 (for CVE-2025-21298, CVE-2025-21311, CVE-2025-21307) (Critical)
- CWE: Not explicitly listed, but relates to Improper Privilege Management (EoP) and Improper Input Validation (RCE).
## Affected Systems
- Products: Windows (including Windows 11, version 24H2), Windows Hyper-V, Microsoft Outlook (OLE component), NTLMv1 protocol, Windows Reliable Multicast Transport Driver, Git within Visual Studio, PowerPoint 2016.
- Versions: Specific vulnerable versions are not detailed, but the vulnerability affects systems prior to the January 2025 security update. Windows 11, version 24H2 is specifically mentioned regarding driver blocklist expansion.
- Configurations: Systems running vulnerable third-party kernel drivers are susceptible to BYOVD attacks.
## Vulnerability Description
Microsoft addressed several critical vulnerabilities in January 2025. Three specific vulnerabilities, **CVE-2025-21333, CVE-2025-21334, and CVE-2025-21335**, are Elevation of Privilege (EoP) flaws within Windows Hyper-V NT Kernel Integration VSPs, which could allow an attacker to gain SYSTEM privileges. Additionally, high-severity flaws include an RCE flaw in the Object Linking and Embedding (OLE) technology in Microsoft Outlook (CVE-2025-21298), an EoP vulnerability in the NTLMv1 protocol (CVE-2025-21311), and an RCE vulnerability in the Windows Reliable Multicast Transport Driver (CVE-2025-21307). The update also expands the vulnerable driver blocklist to mitigate Bring Your Own Vulnerable Driver (BYOVD) attacks. An information disclosure vulnerability (CVE-2024-50338) was also patched in Git for Microsoft Visual Studio.
## Exploitation
- Status: CVE-2025-21333, CVE-2025-21334, and CVE-2025-21335 (Hyper-V VSPs) have **already been exploited**. The high-severity RCE/EoP flaws (CVE-2025-21298, CVE-2025-21311, CVE-2025-21307) have **not been publicly exploited**.
- Complexity: Low to Medium (based on reported impact of existing exploitation for Hyper-V flaws).
- Attack Vector: Varies (Network for RCE, Local/Adjacent for EoP).
## Impact
- Confidentiality: High (Potentially compromised by RCE flaws).
- Integrity: High (Gaining SYSTEM privileges allows modification of system state).
- Availability: Medium to High (Successful exploitation, especially RCE, can lead to system disruption).
## Remediation
### Patches
- Install the Microsoft January 2025 Security Update (specific KB not unified, but associated with the January 14, 2025 release for Windows 11 build 26100.2894, KB5050009 mentioned for workarounds).
- Patch for PowerPoint 2016: January 7, 2025 update (KB5002632).
- Patch for Git in Visual Studio (for CVE-2024-50338).
### Workarounds
- For installation issues blocking the January 2025 Windows security update due to Citrix components: Apply the workaround provided by Citrix (specific details not listed in the summary context).
- For OpenSSH users who installed the October 2024 update: Apply the subsequent fix released by Microsoft.
## Detection
- Indicators of Compromise: Increased system activity, unexpected process execution at SYSTEM level, or unauthorized access related to Hyper-V or OLE handling.
- Detection methods and tools: Monitor systems for exploitation attempts targeting Hyper-V VSPs or known RCE vectors. Employ systems utilizing Microsoft's recommended driver block rules for enhanced BYOVD protection.
## References
- Vendor Advisories: msrc dot microsoft dot com/update-guide/ (links for specific CVEs)
- Relevant links: support dot microsoft dot com/en-us/topic/january-14-2025-kb5050009-os-build-26100-2894-bdbfb097-ea20-487d-9171-718d15e26f1b, support dot microsoft dot com/en-us/topic/january-7-2025-update-for-powerpoint-2016-kb5002632-14dc8b3a-b2ca-4ae7-b732-29f6760c4908