cbcvebase.
CVE-2025-21334
published 2025-01-14

CVE-2025-21334: Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability

PriorityP182high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-02-04
Exploited in the wild
EPSS
1.53%
71.6th percentile
Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability

Affected

28 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftwindows_10_21h2< 10.0.19044.537110.0.19044.5371
microsoftwindows_10_22h2< 10.0.19045.537110.0.19045.5371
microsoftwindows_10_version_21h2>= 10.0.19044.0 < 10.0.19044.537110.0.19044.5371
microsoftwindows_10_version_22h2>= 10.0.19045.0 < 10.0.19045.537110.0.19045.5371
microsoftwindows_11_22h2< 10.0.22621.475110.0.22621.4751
microsoftwindows_11_23h2< 10.0.22631.475110.0.22631.4751
microsoftwindows_11_24h2< 10.0.26100.289410.0.26100.2894
microsoftwindows_11_version_22h2>= 10.0.22621.0 < 10.0.22621.475110.0.22621.4751
microsoftwindows_11_version_22h3>= 10.0.22631.0 < 10.0.22631.475110.0.22631.4751
microsoftwindows_11_version_23h2>= 10.0.22631.0 < 10.0.22631.475110.0.22631.4751
microsoftwindows_11_version_24h2>= 10.0.26100.0 < 10.0.26100.289410.0.26100.2894
microsoftwindows_server_2022_23h2< 10.0.25398.136910.0.25398.1369
microsoftwindows_server_2025< 10.0.26100.289410.0.26100.2894
microsoftwindows_server_2025>= 10.0.26100.0 < 10.0.26100.289410.0.26100.2894
msrcazl3_kata-containers_3.15.0.aks0-1_on_azure_linux_3.0
msrccbl_mariner_1.0_arm
msrccbl_mariner_1.0_x64
msrccm1_moby-containerd_1.4.4+azure-2_on_cbl_mariner_1.0
msrcwindows_10_version_21h2_for_x64-based_systems
msrcwindows_10_version_22h2_for_x64-based_systems
msrcwindows_11_version_22h2_for_arm64-based_systems
msrcwindows_11_version_22h2_for_x64-based_systems
msrcwindows_11_version_23h2_for_arm64-based_systems
msrcwindows_11_version_23h2_for_x64-based_systems
msrcwindows_11_version_24h2_for_arm64-based_systems

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability is a use-after-free in the Hyper-V NT Kernel Integration VSP driver, exploited locally for SYSTEM privilege escalation — monitor for unexpected SYSTEM-level process creation from low-privileged processes on hosts running Windows Sandbox or Microsoft Defender Application Guard (MDAG).
  • The vulnerable component (Hyper-V NT Kernel Integration VSP driver) is used for host-OS to container-type VM communications (Windows Sandbox, MDAG) — focus detection on systems with these features enabled, not traditional Hyper-V VM environments.
  • Exploitation has been detected in the wild as of the January 2025 patch cycle — treat any unpatched Windows systems running MDAG or Windows Sandbox as actively at risk and prioritize patch KB5049981 / KB5050021 / KB5050009 / KB5049984.
  • This is a local EoP only (not a guest-to-host escape) — detection should focus on local privilege escalation patterns rather than VM escape telemetry.
  • ·Vulnerability does NOT affect traditional Hyper-V VM environments; only hosts running container-type VMs (Windows Sandbox, MDAG) are in scope.
  • ·Remediation due date per CISA KEV is 2025-02-04; apply vendor patches before this date.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.