Microsoft has kicked off 2025 with a new set of patch totals 161 security system vulnerability across its software portfolio, including three zero-days that were heavily used in attacks.
Of the 161 deficiencies, 11 are rated critical, and 149 are critical. Another vulnerability, a non-Microsoft CVE related to Windows Secure Boot Bypass (CVE-2024-7344), has not been assigned any severity. According to Zero Day Initiativethe update marks the highest number of CVEs addressed in a single month since at least 2017.
Corrections in addition to seven vulnerabilities the Windows maker has addressed its Chromium-based Edge browser since its release December 2024 Tuesday patch updates.
A highlight among the fixes released by Microsoft is a trio of flaws in the Windows Hyper-V NT Kernel Integration VSP (CVE-2025-21333, CVE-2025-21334and CVE-2025-21335CVSS score: 7.8) which the company says has been heavily used in the wild –
“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” the company’s advisory for the three vulnerabilities says.
How these flaws are commonly used and in what context is still unknown. Microsoft also did not mention the identity of the threat actors using them as weapons or the scale of the attacks.
But given that they are escalation-of-privilege bugs, they are more likely to be used as part of post-hacking activities where the attacker has already gained access to the target system by other means, noted Satnam Narang, senior research engineer at Tenable. .
“The Virtualization Service Provider (VSP) resides in the root partition of the Hyper-V instance and provides synthetic device support for child partitions via the Virtual Machine Bus (VMBus): this is the basis of how Hyper-V allows child partitions to trick themselves into thinking they are a real computer,” Rapid7 lead software engineer Adam Barnett told The Hacker News.
“Given that this is all a security frontier, it’s perhaps surprising that Microsoft hasn’t acknowledged any Hyper-V NT Kernel Integration VSP vulnerabilities to date, but it wouldn’t be entirely shocking if new ones appeared now.”
The use of Windows Hyper-V NT Kernel Integration VSP also led to the US Cybersecurity and Infrastructure Security Agency (CISA) adding them to known vulnerabilities used (KEV) catalog that requires federal agencies to apply the corrections by February 4, 2025.
Separately, Redmond warned that five fallacies are common knowledge –
It should be noted that CVE-2025-21308, which can lead to incorrect disclosure of the NTLM hash, was previously marked by 0patch as a workaround for CVE-2024-38030. Micropatches for the vulnerability were released in October 2024.
All three problems of Microsoft Access, on the other hand, were counted Unpatched.aian AI-driven vulnerability detection platform. Act 1 too noted that while the flaws are classified as remote code execution (RCE) vulnerabilities, their exploitation requires an attacker to convince a user to open a specially crafted file.
The update is also notable for fixing five critical flaws –
- CVE-2025-21294 (CVSS Score: 8.1) – Microsoft Digest Authentication remote code execution vulnerability
- CVE-2025-21295 (CVSS Score: 8.1) – SPNEGO Extended Negotiation (NEGOEX) remote code execution security mechanism vulnerability
- CVE-2025-21298 (CVSS Score: 9.8) – Windows Object Linking and Embedding (OLE) remote code execution vulnerability
- CVE-2025-21307 (CVSS Score: 9.8) – Windows Reliable Multicast Transport Driver (RMCAST) remote code execution vulnerability
- CVE-2025-21311 (CVSS Score: 9.8) – Windows NTLM V1 Elevation of Privilege Vulnerability
“In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted email message to the victim,” Microsoft said in its bulletin for CVE-2025-21298.
“Exploitation of the vulnerability could involve the victim opening a specially crafted email with a compromised version of Microsoft Outlook software or the victim’s Outlook displaying a preview of the specially crafted email. This could lead to an attacker remotely executing code on the victim’s software. car”.
To protect against the flaw, users are advised to read email messages in plain text format. He also advises using Microsoft Outlook to reduce the risk of users opening RTF files from unknown or untrusted sources.
“CVE-2025-21295 vulnerability in the SPNEGO Extended Negotiation (NEGOEX) security mechanism allows unauthenticated attackers to remotely execute malicious code on affected systems without user interaction,” said Saeed Abbasi, Vulnerability Research Manager at Qualys Threat Research Unit.
“Despite the high sophistication of the (AC:H) attack, successful exploitation can completely compromise corporate infrastructure by undermining the core layer of the security mechanism, leading to potential data breaches. Because valid credentials are not required, the risk of widespread exposure is significant, underscoring the need for immediate remediation and diligent mitigation.”
Regarding CVE-2025-21294, Microsoft said that an attacker could successfully exploit this vulnerability by connecting to a system that requires digest authentication, triggering a race condition to create a post-release exploit scenario, and then using it to execute arbitrary code.
“Microsoft Digest is the application that is responsible for performing the initial authentication when the server receives the first response to a request from a client,” said Ben Hopkins, cybersecurity engineer at Immersive Labs. “The server works by checking that the client has not yet been authenticated. CVE-2025-21294 involves attackers using this process to achieve remote code execution (RCE).”
Among the list of vulnerabilities that have been flagged as more likely to be exploited is a disclosure flaw affecting Windows BitLocker (CVE-2025-21210CVSS score: 4.2), which could allow recovery of hibernate images in plaintext, provided the attacker can gain physical access to the victim machine’s hard drive.
“Hibernation images are used when a laptop goes to sleep and contain the content that was stored in RAM when the device was turned off,” said Kev Breen, senior director of threat research at Immersive Labs.
“This presents a significant potential impact, as RAM can contain sensitive data (such as passwords, credentials, and credentials) that may have been in open documents or browser sessions, all of which can be recovered using free tools from hibernate files “.
Third-party software patches
Apart from Microsoft, other vendors have released security updates over the past few weeks to fix some of the vulnerabilities, including –
