cbcvebase.
CVE-2025-21333
published 2025-01-14

CVE-2025-21333: Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability

PriorityP184high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-02-04
Exploited in the wild
EPSS
9.80%
94.9th percentile
Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability

Affected

24 ranges
VendorProductVersion rangeFixed in
microsoftwindows_10_21h2< 10.0.19044.537110.0.19044.5371
microsoftwindows_10_22h2< 10.0.19045.537110.0.19045.5371
microsoftwindows_10_version_21h2>= 10.0.19044.0 < 10.0.19044.537110.0.19044.5371
microsoftwindows_10_version_22h2>= 10.0.19045.0 < 10.0.19045.537110.0.19045.5371
microsoftwindows_11_22h2< 10.0.22621.475110.0.22621.4751
microsoftwindows_11_23h2< 10.0.22631.475110.0.22631.4751
microsoftwindows_11_24h2< 10.0.26100.289410.0.26100.2894
microsoftwindows_11_version_22h2>= 10.0.22621.0 < 10.0.22621.475110.0.22621.4751
microsoftwindows_11_version_22h3>= 10.0.22631.0 < 10.0.22631.475110.0.22631.4751
microsoftwindows_11_version_23h2>= 10.0.22631.0 < 10.0.22631.475110.0.22631.4751
microsoftwindows_11_version_24h2>= 10.0.26100.0 < 10.0.26100.289410.0.26100.2894
microsoftwindows_server_2022_23h2< 10.0.25398.136910.0.25398.1369
microsoftwindows_server_2025< 10.0.26100.289410.0.26100.2894
microsoftwindows_server_2025>= 10.0.26100.0 < 10.0.26100.289410.0.26100.2894
msrcwindows_10_version_21h2_for_x64-based_systems
msrcwindows_10_version_22h2_for_x64-based_systems
msrcwindows_11_version_22h2_for_arm64-based_systems
msrcwindows_11_version_22h2_for_x64-based_systems
msrcwindows_11_version_23h2_for_arm64-based_systems
msrcwindows_11_version_23h2_for_x64-based_systems
msrcwindows_11_version_24h2_for_arm64-based_systems
msrcwindows_11_version_24h2_for_x64-based_systems
msrcwindows_server_2022_23h2_edition
msrcwindows_server_2025

Detection & IOCsextracted from sources · hover to see the quote

path\\.\pipe\IoRingExploitOutput
path\\.\pipe\IoRingExploitInput
otherREGBUFFERS_TAG: 0x42527249
otherPIPEATTRIBUTE_TAG: 0x7441704e
  • Monitor for named pipe creation using the exploit-specific names 'IoRingExploitOutput' and 'IoRingExploitInput', which are hardcoded in the public PoC exploit for CVE-2025-21333.
  • Detect pool tag allocations of 0x42527249 ('IrRB') and 0x7441704e ('NpAt') in kernel pool spray activity, which are used by the exploit to manipulate heap layout targeting NPFS pipe attribute objects.
  • Alert on low-privileged processes spawning children or threads with SYSTEM-level token privileges, consistent with the EoP goal of this vulnerability targeting the Hyper-V NT Kernel Integration VSP driver.
  • The vulnerability is a heap-based buffer overflow in the Hyper-V NT Kernel Integration VSP, exploitable locally. Monitor for exploitation in environments running Windows Sandbox or Microsoft Defender Application Guard (MDAG), as these are the container-type VM contexts where the vulnerable VSP component is active.
  • CVE-2025-21333 is confirmed actively exploited in the wild (KEV listed, MSRC Exploitation Detected). Prioritize detection on unpatched systems; patch KB5049981, KB5050021, KB5050009, KB5049984 address this vulnerability.
  • ·This is a LOCAL elevation of privilege only — not a guest-to-host escape. Exploitation requires an attacker to already have local code execution on the host OS.
  • ·The vulnerable component (Hyper-V NT Kernel Integration VSP) is NOT present in traditional Hyper-V VM environments. Detection and patching efforts should focus on systems running Windows Sandbox or MDAG container-type VMs.
  • ·The EPROCESS/token offsets hardcoded in the PoC (e.g., EPROCESS_TOKEN_OFFSET 0x4b8, EPROCESS_UNIQUEPROCESSID_OFFSET 0x440) are specific to Windows Server 2025 kernel builds; exploit reliability against other Windows versions will vary.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.