Microsoft kicked off 2025 with a brand new set of patches for a complete of 161 safety vulnerabilities throughout its software program portfolio, together with three zero-days which were actively exploited in assaults.
Of the 161 flaws, 11 are rated Essential, and 149 are rated Essential in severity. One different flaw, a non-Microsoft CVE associated to a Home windows Safe Boot bypass (CVE-2024-7344), has not been assigned any severity. In accordance with the Zero Day Initiative, the replace marks the most important variety of CVEs addressed in a single month since at the very least 2017.
The fixes are along with seven vulnerabilities the Home windows maker addressed in its Chromium-based Edge browser for the reason that launch of December 2024 Patch Tuesday updates.
Distinguished among the many patches launched by Microsoft is a trio of flaws in Home windows Hyper-V NT Kernel Integration VSP (CVE-2025-21333, CVE-2025-21334, and CVE-2025-21335, CVSS scores: 7.8) that the corporate mentioned has come beneath energetic exploitation within the wild –
“An attacker who efficiently exploited this vulnerability may achieve SYSTEM privileges,” the corporate mentioned in an advisory for the three vulnerabilities.
As is customary, it is presently not identified how these shortcomings are being exploited, and in what context. Microsoft additionally makes no point out of the identification of the menace actors weaponizing them or the dimensions of the assaults.
However on condition that they’re privilege escalation bugs, they’re very possible used as a part of post-compromise exercise, the place an attacker has already gained entry to a goal system by another means, Satnam Narang, senior employees analysis engineer at Tenable, identified.
“The Virtualization Service Supplier (VSP) resides within the root partition of a Hyper-V occasion, and supplies artificial gadget help to youngster partitions over the Digital Machine Bus (VMBus): it is the muse of how Hyper-V permits the kid partition to trick itself into pondering that it is an actual pc,” Rapid7’s Lead Software program Engineer, Adam Barnett, informed The Hacker Information.
“On condition that your complete factor is a safety boundary, it is maybe stunning that no Hyper-V NT Kernel Integration VSP vulnerabilities have been acknowledged by Microsoft till right now, however it will not be in any respect surprising if extra now emerge.”
The exploitation of Home windows Hyper-V NT Kernel Integration VSP has additionally resulted within the U.S. Cybersecurity and Infrastructure Safety Company (CISA) including them to its Recognized Exploited Vulnerabilities (KEV) catalog, requiring federal companies to use the fixes by February 4, 2025.
Individually, Redmond has warned that 5 of the bugs are publicly identified –
It is price noting that CVE-2025-21308, which may result in improper disclosure of an NTLM hash, was beforehand flagged by 0patch as a bypass for CVE-2024-38030. Micropatches for the vulnerability have been launched in October 2024.
All of the three Microsoft Entry points, then again, have been credited to Unpatched.ai, an AI-guided vulnerability discovery platform. Action1 additionally famous that whereas the failings are categorized as distant code execution (RCE) vulnerabilities, exploitation requires an attacker to persuade the person to open a specifically crafted file.
The replace can be notable for closing out 5 Essential severity flaws –
- CVE-2025-21294 (CVSS rating: 8.1) – Microsoft Digest Authentication Distant Code Execution Vulnerability
- CVE-2025-21295 (CVSS rating: 8.1) – SPNEGO Prolonged Negotiation (NEGOEX) Safety Mechanism Distant Code Execution Vulnerability
- CVE-2025-21298 (CVSS rating: 9.8) – Home windows Object Linking and Embedding (OLE) Distant Code Execution Vulnerability
- CVE-2025-21307 (CVSS rating: 9.8) – Home windows Dependable Multicast Transport Driver (RMCAST) Distant Code Execution Vulnerability
- CVE-2025-21311 (CVSS rating: 9.8) – Home windows NTLM V1 Elevation of Privilege Vulnerability
“In an e mail assault state of affairs, an attacker may exploit the vulnerability by sending the specifically crafted e mail to the sufferer,” Microsoft mentioned in its bulletin for CVE-2025-21298.
“Exploitation of the vulnerability may contain both a sufferer opening a specifically crafted e mail with an affected model of Microsoft Outlook software program, or a sufferer’s Outlook utility displaying a preview of a specifically crafted e mail . This might outcome within the attacker executing distant code on the sufferer’s machine.”
To safeguard in opposition to the flaw, it is advisable that customers learn e mail messages in plain textual content format. It is also advising using Microsoft Outlook to cut back the danger of customers opening RTF Recordsdata from unknown or untrusted sources.
“The CVE-2025-21295 vulnerability within the SPNEGO Prolonged Negotiation (NEGOEX) safety mechanism permits unauthenticated attackers to run malicious code remotely on affected techniques with out person interplay,” Saeed Abbasi, supervisor of vulnerability analysis at Qualys Menace Analysis Unit, mentioned.
“Regardless of a excessive assault complexity (AC:H), profitable exploitation can absolutely compromise enterprise infrastructure by undermining a core safety mechanism layer, resulting in potential information breaches. As a result of no legitimate credentials are required, the danger of widespread influence is critical, highlighting the necessity for fast patches and vigilant mitigation.”
As for CVE-2025-21294, Microsoft mentioned a nasty actor may efficiently exploit this vulnerability by connecting to a system which requires digest authentication, triggering a race situation to create a use-after-free state of affairs, after which leveraging it to execute arbitrary code.
“Microsoft Digest is the appliance accountable for performing preliminary authentication when a server receives the primary problem response from a consumer,” Ben Hopkins, cybersecurity engineer at Immersive Labs, mentioned. “The server works by checking that the consumer has not already been authenticated. CVE-2025-21294 entails exploitation of this course of for attackers to realize distant code execution (RCE).”
Among the many listing of vulnerabilities which were tagged as extra prone to be exploited is an info disclosure flaw affecting Home windows BitLocker (CVE-2025-21210, CVSS rating: 4.2) that would enable for the restoration of hibernation pictures in plaintext assuming an attacker is ready to achieve bodily entry to the sufferer machine’s laborious disk.
“Hibernation pictures are used when a laptop computer goes to sleep and accommodates the contents that have been saved in RAM in the intervening time the gadget powered down,” Kev Breen, senior director of menace analysis at Immersive Labs, mentioned.
“This presents a major potential influence as RAM can comprise delicate information (akin to passwords, credentials, and PII) that will have been in open paperwork or browser periods and might all be recovered with free instruments from hibernation recordsdata.”
Software program Patches from Different Distributors
Moreover Microsoft, safety updates have additionally been launched by different distributors over the previous few weeks to rectify a number of vulnerabilities, together with —
