CVE-2025-21333
published 2025-01-14CVE-2025-21333: Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability
PriorityP184high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-02-04
Exploited in the wild
EPSS
9.80%
94.9th percentile
Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability
Affected
24 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_10_21h2 | < 10.0.19044.5371 | 10.0.19044.5371 |
| microsoft | windows_10_22h2 | < 10.0.19045.5371 | 10.0.19045.5371 |
| microsoft | windows_10_version_21h2 | >= 10.0.19044.0 < 10.0.19044.5371 | 10.0.19044.5371 |
| microsoft | windows_10_version_22h2 | >= 10.0.19045.0 < 10.0.19045.5371 | 10.0.19045.5371 |
| microsoft | windows_11_22h2 | < 10.0.22621.4751 | 10.0.22621.4751 |
| microsoft | windows_11_23h2 | < 10.0.22631.4751 | 10.0.22631.4751 |
| microsoft | windows_11_24h2 | < 10.0.26100.2894 | 10.0.26100.2894 |
| microsoft | windows_11_version_22h2 | >= 10.0.22621.0 < 10.0.22621.4751 | 10.0.22621.4751 |
| microsoft | windows_11_version_22h3 | >= 10.0.22631.0 < 10.0.22631.4751 | 10.0.22631.4751 |
| microsoft | windows_11_version_23h2 | >= 10.0.22631.0 < 10.0.22631.4751 | 10.0.22631.4751 |
| microsoft | windows_11_version_24h2 | >= 10.0.26100.0 < 10.0.26100.2894 | 10.0.26100.2894 |
| microsoft | windows_server_2022_23h2 | < 10.0.25398.1369 | 10.0.25398.1369 |
| microsoft | windows_server_2025 | < 10.0.26100.2894 | 10.0.26100.2894 |
| microsoft | windows_server_2025 | >= 10.0.26100.0 < 10.0.26100.2894 | 10.0.26100.2894 |
| msrc | windows_10_version_21h2_for_x64-based_systems | — | — |
| msrc | windows_10_version_22h2_for_x64-based_systems | — | — |
| msrc | windows_11_version_22h2_for_arm64-based_systems | — | — |
| msrc | windows_11_version_22h2_for_x64-based_systems | — | — |
| msrc | windows_11_version_23h2_for_arm64-based_systems | — | — |
| msrc | windows_11_version_23h2_for_x64-based_systems | — | — |
| msrc | windows_11_version_24h2_for_arm64-based_systems | — | — |
| msrc | windows_11_version_24h2_for_x64-based_systems | — | — |
| msrc | windows_server_2022_23h2_edition | — | — |
| msrc | windows_server_2025 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for named pipe creation using the exploit-specific names 'IoRingExploitOutput' and 'IoRingExploitInput', which are hardcoded in the public PoC exploit for CVE-2025-21333. ↗
- →Detect pool tag allocations of 0x42527249 ('IrRB') and 0x7441704e ('NpAt') in kernel pool spray activity, which are used by the exploit to manipulate heap layout targeting NPFS pipe attribute objects. ↗
- →Alert on low-privileged processes spawning children or threads with SYSTEM-level token privileges, consistent with the EoP goal of this vulnerability targeting the Hyper-V NT Kernel Integration VSP driver. ↗
- →The vulnerability is a heap-based buffer overflow in the Hyper-V NT Kernel Integration VSP, exploitable locally. Monitor for exploitation in environments running Windows Sandbox or Microsoft Defender Application Guard (MDAG), as these are the container-type VM contexts where the vulnerable VSP component is active. ↗
- →CVE-2025-21333 is confirmed actively exploited in the wild (KEV listed, MSRC Exploitation Detected). Prioritize detection on unpatched systems; patch KB5049981, KB5050021, KB5050009, KB5049984 address this vulnerability. ↗
- ·This is a LOCAL elevation of privilege only — not a guest-to-host escape. Exploitation requires an attacker to already have local code execution on the host OS. ↗
- ·The vulnerable component (Hyper-V NT Kernel Integration VSP) is NOT present in traditional Hyper-V VM environments. Detection and patching efforts should focus on systems running Windows Sandbox or MDAG container-type VMs. ↗
- ·The EPROCESS/token offsets hardcoded in the PoC (e.g., EPROCESS_TOKEN_OFFSET 0x4b8, EPROCESS_UNIQUEPROCESSID_OFFSET 0x440) are specific to Windows Server 2025 kernel builds; exploit reliability against other Windows versions will vary. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-gjv6-pfh4-3rff: Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability
ghsa_unreviewed·2025-01-14
CVE-2025-21333 [HIGH] CWE-122 GHSA-gjv6-pfh4-3rff: Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability
Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability
VulnCheck
Microsoft Windows Hyper-V NT Kernel Integration VSP Heap-based Buffer Overflow Vulnerability
vulncheck·2025·CVSS 7.8
CVE-2025-21333 [HIGH] CWE-122 Microsoft Windows Hyper-V NT Kernel Integration VSP Heap-based Buffer Overflow Vulnerability
Microsoft Windows Hyper-V NT Kernel Integration VSP Heap-based Buffer Overflow Vulnerability
Microsoft Windows Hyper-V NT Kernel Integration VSP contains a heap-based buffer overflow vulnerability that allows a local attacker to gain SYSTEM privileges.
Affected: Microsoft Windows
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2025-Jan; https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21333; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://securelist.com/vulnerabilities-and-exploits-in-q1-2025/116624/; https://www.kelacyber.com/resources/research/2025_midyear_threat_report/; https://
Microsoft
Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability
vendor_msrc·2025-01-14·CVSS 7.8
CVE-2025-21333 [HIGH] CWE-122 Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability
Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability
FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability?
An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
FAQ: Does this vulnerability exist in the Hyper-V server?
No, the Hyper-V NT Kernel Integration Virtual Service Provider (VSP) is a component used for communications between the host OS and container-type VMs, such as Windows Sandbox and Microsoft Defender Application Guard (MDAG). It is not in a traditional Hyper-V VM environment. Whereas traditional Hyper-V VMs have a strong boundary between the host and the guest for isolation purposes, container-type VMs like MDAG simulate that they are running on the host. The Hyper-V NT
CISA
Microsoft Windows Hyper-V NT Kernel Integration VSP Heap-based Buffer Overflow Vulnerability
cisa·2025-01-14·CVSS 7.8
CVE-2025-21333 [HIGH] CWE-122 Microsoft Windows Hyper-V NT Kernel Integration VSP Heap-based Buffer Overflow Vulnerability
Vulnerability: Microsoft Windows Hyper-V NT Kernel Integration VSP Heap-based Buffer Overflow Vulnerability
Affected: Microsoft Windows
Microsoft Windows Hyper-V NT Kernel Integration VSP contains a heap-based buffer overflow vulnerability that allows a local attacker to gain SYSTEM privileges.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-21333 ; https://nvd.nist.gov/vuln/detail/CVE-2025-21333
Remediation Due Date: 2025-02-04
No detection rules found.
Securelist
Vulnerability landscape analysis for Q1 2025
blogs_securelist·2025-05-30
Vulnerability landscape analysis for Q1 2025
Table of Contents
- Statistics on registered vulnerabilities
- Exploitation statistics
- Vulnerability exploitation in APT attacks
- Interesting vulnerabilities
- Conclusion and advice
Authors
- Alexander Kolesnikov
The first quarter of 2025 saw the continued publication of vulnerabilities discovered and fixed in 2024, as some researchers were previously unable to disclose the details. This partially shifted the focus away from vulnerabilities that received new CVE-2025-NNNNN identifiers. The nature of the CVE assignment process can result in a notable delay between problem investigation and patch release, which is mitigated by reserving a CVE ID early in the process. As for trends in vulnerability exploitation, we are seeing increasing rates of attacks targeting older operating syste
Securelist
Exploits and vulnerabilities in Q1 2025
blogs_securelist·2025-05-30·CVSS 7.8
CVE-2025-21333 [HIGH] Exploits and vulnerabilities in Q1 2025
Table of Contents
Statistics on registered vulnerabilities
Exploitation statistics
Windows and Linux vulnerability exploitation
Most common published exploits
Vulnerability exploitation in APT attacks
Interesting vulnerabilities
ZDI-CAN-25373: a vulnerability in Windows that affects how LNK files are displayed
CVE-2025-21333: a heap buffer overflow vulnerability in the vkrnlintvsp.sys driver
CVE-2025-24071: a NetNTLM hash leakage vulnerability in the file system indexer
Conclusion and advice
Authors
Alexander Kolesnikov
The first quarter of 2025 saw the continued publication of vulnerabilities discovered and fixed in 2024, as some researchers were previously unable to disclose the details. This partially shifted the focus away from vulnerabilities that received new CVE-2025-NN
Qualys
Zero-Day Vulnerability Protection | Detect & Stop Threats | Qualys
blogs_qualys·2025-04-18
Zero-Day Vulnerability Protection | Detect & Stop Threats | Qualys
## Table of Contents
Why Zero-Day Vulnerabilities Demand a New Security Mindset
Understanding Zero-Day Vulnerabilities, Exploits, and Attacks
How Do Zero-Day Attacks Work?
The Zero-Day Lifecycle: From Discovery to Exploitation
Real-World Zero-Day Attacks and Their Impact
Why Zero-Day Vulnerabilities Are So Dangerous
Detecting Zero-Day Vulnerabilities
Challenges in Identifying Zero-Day Vulnerabilities
How Qualys Helps Organizations Manage Zero-Day Risk
Conclusion
Frequently Asked Questions (FAQs)
Executive Summary
Zero-day vulnerabilities pose a significant and growing risk as opportunistic attackers rapidly exploit unknown flaws before fixes are available. These threats can bypass traditional defenses, spread rapidly, and cause widespread disruption across organizations.
To r
Qualys
Zero-Day Vulnerability Protection | Detect & Stop Threats | Qualys
blogs_qualys·2025-04-18
Zero-Day Vulnerability Protection | Detect & Stop Threats | Qualys
#### Table of Contents
- Why Zero-Day Vulnerabilities Demand a New Security Mindset
- Understanding Zero-Day Vulnerabilities, Exploits, and Attacks
- How Do Zero-Day Attacks Work?
- The Zero-Day Lifecycle: From Discovery to Exploitation
- Real-World Zero-Day Attacks and Their Impact
- Why Zero-Day Vulnerabilities Are So Dangerous
- Detecting Zero-Day Vulnerabilities
- Challenges in Identifying Zero-Day Vulnerabilities
- How Qualys Helps Organizations Manage Zero-Day Risk
- Conclusion
- Frequently Asked Questions (FAQs)
Executive Summary
Zero-day vulnerabilities pose a significant and growing risk as opportunistic attackers rapidly exploit unknown flaws before fixes are available. These threats can bypass traditional defenses, spread rapidly, and cause widespread disruption across organi
Tenable
Cybersecurity Snapshot: CISA Calls for Stamping Out Buffer Overflow Vulnerabilities, as Europol Tells Banks To Prep For Quantum Threat
blogs_tenable·2025-02-14
Cybersecurity Snapshot: CISA Calls for Stamping Out Buffer Overflow Vulnerabilities, as Europol Tells Banks To Prep For Quantum Threat
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Microsoft January 2025 Patch Tuesday fixes 8 zero-days, 159 flaws
blogs_bleepingcomputer·2025-01-14·CVSS 7.8
[HIGH] Microsoft January 2025 Patch Tuesday fixes 8 zero-days, 159 flaws
## Microsoft January 2025 Patch Tuesday fixes 8 zero-days, 159 flaws
## Lawrence Abrams
40 Elevation of Privilege Vulnerabilities
14 Security Feature Bypass Vulnerabilities
58 Remote Code Execution Vulnerabilities
24 Information Disclosure Vulnerabilities
20 Denial of Service Vulnerabilities
5 Spoofing Vulnerabilities
To learn more about the non-security updates released today, you can review our dedicated articles on the Windows 11 KB5050009 & KB5050021 cumulative updates and the Windows 10 KB5048652 cumulative update.
## Three actively exploited zero-day disclosed
This month's Patch Tuesday fixes three actively exploited and five publicly exposed zero-day vulnerabilities.
Microsoft classifies a zero-day flaw as one that is publicly disclosed or actively exploited while no offi
Krebs
Microsoft: Happy 2025. Here’s 161 Security Updates
blogs_krebs·2025-01-14·CVSS 9.8
[CRITICAL] Microsoft: Happy 2025. Here’s 161 Security Updates
Microsoft today unleashed updates to plug a whopping 161 security vulnerabilities in Windows and related software, including three “zero-day” weaknesses that are already under active attack. Redmond’s inaugural Patch Tuesday of 2025 bundles more fixes than the company has shipped in one go since 2017.
Rapid7‘s Adam Barnett says January marks the fourth consecutive month where Microsoft has published zero-day vulnerabilities on Patch Tuesday without evaluating any of them as critical severity at time of publication. Today also saw the publication of nine critical remote code execution (RCE) vulnerabilities.
The Microsoft flaws already seeing active attacks include CVE-2025-21333, CVE-2025-21334 and, you guessed it– CVE-2025-21335. These are sequential because all reside in Windows Hyper-V
Tenable
Microsoft’s January 2025 Patch Tuesday Addresses 157 CVEs (CVE-2025-21333, CVE-2025-21334, CVE-2025-21335)
blogs_tenable·2025-01-14·CVSS 7.8
[HIGH] Microsoft’s January 2025 Patch Tuesday Addresses 157 CVEs (CVE-2025-21333, CVE-2025-21334, CVE-2025-21335)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
Microsoft and Adobe Patch Tuesday, January 2025 Security Update Review
blogs_qualys·2025-01-14
Microsoft and Adobe Patch Tuesday, January 2025 Security Update Review
## Table of Contents
Microsoft Patch Tuesday for January 2025
Adobe Patches for January 2025
Zero-day Vulnerabilities Patched in January Patch Tuesday Edition
Critical Severity Vulnerabilities Patched in January Patch Tuesday Edition
Other Microsoft Vulnerability Highlights
Microsoft Release Summary
Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
Rapid Response with Patch Management (PM)
EVALUATE Vendor-Suggested Mitigation with Policy Compliance (PC)
Qualys Monthly Webinar Series
Happy New Year! As the calendar turns to January 2025, Microsoft’s first Patch Tuesday of 2025 has arrived. From zero-days to critical vulnerabilities, here’s what deserves your attention. Here’s a breakdown of what’s been patched.
## Microsoft Patch Tu
Qualys
Microsoft and Adobe Patch Tuesday, January 2025 Security Update Review | Qualys
blogs_qualys·2025-01-14
Microsoft and Adobe Patch Tuesday, January 2025 Security Update Review | Qualys
#### Table of Contents
- Microsoft Patch Tuesday for January 2025
- Adobe Patches for January 2025
- Zero-day Vulnerabilities Patched in January Patch Tuesday Edition
- Critical Severity Vulnerabilities Patched in January Patch Tuesday Edition
- Other Microsoft Vulnerability Highlights
- Microsoft Release Summary
- Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
- Rapid Response with Patch Management (PM)
- EVALUATE Vendor-Suggested Mitigation with Policy Compliance (PC)
- Qualys Monthly Webinar Series
Happy New Year! As the calendar turns to January 2025, Microsoft’s first Patch Tuesday of 2025 has arrived. From zero-days to critical vulnerabilities, here’s what deserves your attention. Here’s a breakdown of what’s been patched.
## Micro
Krebs
Microsoft: Happy 2025. Here’s 161 Security Updates
blogs_krebs·2025-01-14·CVSS 9.8
[CRITICAL] Microsoft: Happy 2025. Here’s 161 Security Updates
Microsoft today unleashed updates to plug a whopping 161 security vulnerabilities in Windows and related software, including three “zero-day” weaknesses that are already under active attack. Redmond’s inaugural Patch Tuesday of 2025 bundles more fixes than the company has shipped in one go since 2017.
Rapid7 ‘s Adam Barnett says January marks the fourth consecutive month where Microsoft has published zero-day vulnerabilities on Patch Tuesday without evaluating any of them as critical severity at time of publication. Today also saw the publication of nine critical remote code execution (RCE) vulnerabilities.
The Microsoft flaws already seeing active attacks include CVE-2025-21333 , CVE-2025-21334 and, you guessed it– CVE-2025-21335 . These are sequential because all reside in Windows Hype
Crowdstrike
January 2025 Patch Tuesday: Updates and Analysis
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] January 2025 Patch Tuesday: Updates and Analysis
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand AT
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21333https://www.exploit-db.com/exploits/52436https://www.vicarius.io/vsociety/posts/cve-2025-21333-elevated-privilege-exposure-in-windows-hyper-v-by-microsoft-detection-scripthttps://www.vicarius.io/vsociety/posts/cve-2025-21333-elevated-privilege-exposure-in-windows-hyper-v-by-microsoft-mitigation-scripthttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-21333
2025-01-14
Published
2025-01-14
Added to CISA KEV
Exploited in the wild