Microsoft kicked off 2025 with a brand new set of patches for a complete of 161 safety vulnerabilities throughout its software program portfolio, together with three zero-days which have been actively exploited in assaults.
Of the 161 flaws, 11 are rated Essential, and 149 are rated Vital in severity. One different flaw, a non-Microsoft CVE associated to a Home windows Safe Boot bypass (CVE-2024-7344), has not been assigned any severity. In response to the Zero Day Initiative, the replace marks the most important variety of CVEs addressed in a single month since not less than 2017.
The fixes are along with seven vulnerabilities the Home windows maker addressed in its Chromium-based Edge browser for the reason that launch of December 2024 Patch Tuesday updates.
Distinguished among the many patches launched by Microsoft is a trio of flaws in Home windows Hyper-V NT Kernel Integration VSP (CVE-2025-21333, CVE-2025-21334, and CVE-2025-21335, CVSS scores: 7.8) that the corporate stated has come below energetic exploitation within the wild –
“An attacker who efficiently exploited this vulnerability might acquire SYSTEM privileges,” the corporate stated in an advisory for the three vulnerabilities.
As is customary, it is at present not recognized how these shortcomings are being exploited, and in what context. Microsoft additionally makes no point out of the id of the risk actors weaponizing them or the dimensions of the assaults.
However on condition that they’re privilege escalation bugs, they’re very doubtless used as a part of post-compromise exercise, the place an attacker has already gained entry to a goal system by another means, Satnam Narang, senior workers analysis engineer at Tenable, identified.
“The Virtualization Service Supplier (VSP) resides within the root partition of a Hyper-V occasion, and offers artificial system help to baby partitions over the Digital Machine Bus (VMBus): it is the muse of how Hyper-V permits the kid partition to trick itself into considering that it is an actual pc,” Rapid7’s Lead Software program Engineer, Adam Barnett, instructed The Hacker Information.
“Provided that the complete factor is a safety boundary, it is maybe shocking that no Hyper-V NT Kernel Integration VSP vulnerabilities have been acknowledged by Microsoft till at present, however it will not be in any respect surprising if extra now emerge.”
The exploitation of Home windows Hyper-V NT Kernel Integration VSP has additionally resulted within the U.S. Cybersecurity and Infrastructure Safety Company (CISA) including them to its Recognized Exploited Vulnerabilities (KEV) catalog, requiring federal businesses to use the fixes by February 4, 2025.
Individually, Redmond has warned that 5 of the bugs are publicly recognized –
It is price noting that CVE-2025-21308, which might result in improper disclosure of an NTLM hash, was beforehand flagged by 0patch as a bypass for CVE-2024-38030. Micropatches for the vulnerability have been launched in October 2024.
All of the three Microsoft Entry points, however, have been credited to Unpatched.ai, an AI-guided vulnerability discovery platform. Action1 additionally famous that whereas the issues are categorized as distant code execution (RCE) vulnerabilities, exploitation requires an attacker to persuade the person to open a specifically crafted file.
The replace can be notable for closing out 5 Essential severity flaws –
- CVE-2025-21294 (CVSS rating: 8.1) – Microsoft Digest Authentication Distant Code Execution Vulnerability
- CVE-2025-21295 (CVSS rating: 8.1) – SPNEGO Prolonged Negotiation (NEGOEX) Safety Mechanism Distant Code Execution Vulnerability
- CVE-2025-21298 (CVSS rating: 9.8) – Home windows Object Linking and Embedding (OLE) Distant Code Execution Vulnerability
- CVE-2025-21307 (CVSS rating: 9.8) – Home windows Dependable Multicast Transport Driver (RMCAST) Distant Code Execution Vulnerability
- CVE-2025-21311 (CVSS rating: 9.8) – Home windows NTLM V1 Elevation of Privilege Vulnerability
“In an e-mail assault situation, an attacker might exploit the vulnerability by sending the specifically crafted e-mail to the sufferer,” Microsoft stated in its bulletin for CVE-2025-21298.
“Exploitation of the vulnerability may contain both a sufferer opening a specifically crafted e-mail with an affected model of Microsoft Outlook software program, or a sufferer’s Outlook utility displaying a preview of a specifically crafted e-mail . This might consequence within the attacker executing distant code on the sufferer’s machine.”
To safeguard in opposition to the flaw, it is beneficial that customers learn e-mail messages in plain textual content format. It is also advising using Microsoft Outlook to cut back the chance of customers opening RTF Information from unknown or untrusted sources.
“The CVE-2025-21295 vulnerability within the SPNEGO Prolonged Negotiation (NEGOEX) safety mechanism permits unauthenticated attackers to run malicious code remotely on affected techniques with out person interplay,” Saeed Abbasi, supervisor of vulnerability analysis at Qualys Risk Analysis Unit, stated.
“Regardless of a excessive assault complexity (AC:H), profitable exploitation can absolutely compromise enterprise infrastructure by undermining a core safety mechanism layer, resulting in potential information breaches. As a result of no legitimate credentials are required, the chance of widespread impression is critical, highlighting the necessity for speedy patches and vigilant mitigation.”
As for CVE-2025-21294, Microsoft stated a nasty actor might efficiently exploit this vulnerability by connecting to a system which requires digest authentication, triggering a race situation to create a use-after-free situation, after which leveraging it to execute arbitrary code.
“Microsoft Digest is the applying accountable for performing preliminary authentication when a server receives the primary problem response from a shopper,” Ben Hopkins, cybersecurity engineer at Immersive Labs, stated. “The server works by checking that the shopper has not already been authenticated. CVE-2025-21294 includes exploitation of this course of for attackers to realize distant code execution (RCE).”
Among the many record of vulnerabilities which have been tagged as extra more likely to be exploited is an data disclosure flaw affecting Home windows BitLocker (CVE-2025-21210, CVSS rating: 4.2) that would enable for the restoration of hibernation pictures in plaintext assuming an attacker is ready to acquire bodily entry to the sufferer machine’s exhausting disk.
“Hibernation pictures are used when a laptop computer goes to sleep and incorporates the contents that have been saved in RAM for the time being the system powered down,” Kev Breen, senior director of risk analysis at Immersive Labs, stated.
“This presents a major potential impression as RAM can include delicate information (comparable to passwords, credentials, and PII) which will have been in open paperwork or browser classes and might all be recovered with free instruments from hibernation information.”
Software program Patches from Different Distributors
Apart from Microsoft, safety updates have additionally been launched by different distributors over the previous few weeks to rectify a number of vulnerabilities, together with —