Microsoft fixes actively exploited Windows Hyper-V zero-day flaws
Microsoft has marked January 2025 Patch Tuesday with a hefty load of patches: 157 CVE-numbered security issues have been fixed in various products, three of which (in Hyper-V) are being actively exploited.
The exploited Hyper-V vulnerabilities
The exploited zero-days are CVE-2025-21333 (a buffer overflow bug), CVE-2025-21334 and CVE-2025-21335 (use after free flaws), and they all allow attackers to elevated their privilege to SYSTEM on compromised Windows and Windows Server machines.
They affect a component of the Windows Hyper-V’s NT Kernel that manages communication between virtual machines and the host operating system.
“We see a lot of elevation of privilege bugs exploited in the wild as zero-days in Patch Tuesday because it’s not always initial access to a system that’s a challenge for attackers as they have various avenues in their pursuit. The greater challenge is being able to obtain more privileged access once they’ve gained initial system access,” says Satnam Narang, senior staff research engineer at Tenable.
Unfortunately, Microsoft doesn’t include details about in-the-wild exploitation of its patched flaws.
But, as noted by Mike Walters, President at Action1, “organizations relying on Hyper-V, including data centers, cloud providers, enterprise IT environments, and development platforms, are at risk. An attacker with low privileges can execute code with SYSTEM privileges, gaining control over the host system.”
Other vulnerabilities of note
Among the publicly disclosed bugs are three (CVE-2025-21186, CVE-2025-21366, CVE-2025-21395) that affect Microsoft Access – a database management system – and could lead to remote code execution. They require user interaction – e.g., opening a file with a malicious extension – but the provided updates will block them if they are sent as email attachments.
They are deemed “less likely” to be exploited, and have been fixed in Microsoft Access 2016, the latest on-premises editions of Microsoft Office Long Term Service Channel, Microsoft Office 2019, and Microsoft 365 Apps for Enterprise.
“What makes these vulnerabilities most interesting is that they were reportedly discovered using AI, as they are credited to a platform called Unpatched.ai. Unpatched.ai was also credited with discovering a flaw in the December 2024 Patch Tuesday release (CVE-2024-49142),” Narang told Help Net Security.
“Automated vulnerability detection using AI has garnered a lot of attention recently, so it’s noteworthy to see this service being credited with finding bugs in Microsoft products. It may be the first of many in 2025.”
Among the “more likely” to be exploited flaws that have been fixed are vulnerabilities that may allow attackers to bypass security features relying on the MapUrlToZone Windows API function, Excel and Office flaws that could lead to RCE, and a critical Windows OLE RCE flaw (CVE-2025-21298) that could be triggered with specially crafted RTF files.
“As a mitigation, you can set Outlook to read all standard mail as plain text, but users will likely revolt against such a setting. The best option is to test and deploy this patch quickly,” noted Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative.
An interesting vulnerability (CVE-2025-21210) that’s also more likely to be exploited (according to Microsoft) is found in Bitlocker, Windows’ full disk encryption feature.
“Exploiting this vulnerability could allow the disclosure of unencrypted hibernation images in cleartext,” Microsoft said.
“Hibernation images are used when a laptop goes to sleep and contains the contents that were stored in RAM at the moment the device powered down. This presents a significant potential impact as RAM can contain sensitive data (such as passwords, credentials and PII) that may have been in open documents or browser sessions and can all be recovered with free tools from hibernation files,” Kevin Breen, Senior Director Threat Research at Immersive Labs, told Help Net Security.
“Also of concern is that the Bitlocker keys could be recovered from RAM, and may be captured in hibernation files – again, free tooling exists to recover Bitlocker keys from hibernation files.”
But to exploit it, attackers must have repeated physical access to the victim machine’s hard disk.
Laptop thieves might want to leverage this flaw, but are unlikely to: attack complexity is high, and they are generally after other things. Threat actors going after specific high-profile targets (spies or cryptocurrency thieves) might use it, but there are surely easier ways to grab sensitive data. In my mind, that leaves law enforcement as the most likely to find this one useful – if they can find a way to trigger it.
Nevertheless, as Breen advised, “if you have users with sensitive data traveling often, then this should be a high priority to patch.”