CVE-2025-21335
published 2025-01-14CVE-2025-21335: Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability
PriorityP182high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-02-04
Exploited in the wild
EPSS
1.36%
68.3th percentile
Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability
Affected
24 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_10_21h2 | < 10.0.19044.5371 | 10.0.19044.5371 |
| microsoft | windows_10_22h2 | < 10.0.19045.5371 | 10.0.19045.5371 |
| microsoft | windows_10_version_21h2 | >= 10.0.19044.0 < 10.0.19044.5371 | 10.0.19044.5371 |
| microsoft | windows_10_version_22h2 | >= 10.0.19045.0 < 10.0.19045.5371 | 10.0.19045.5371 |
| microsoft | windows_11_22h2 | < 10.0.22621.4751 | 10.0.22621.4751 |
| microsoft | windows_11_23h2 | < 10.0.22631.4751 | 10.0.22631.4751 |
| microsoft | windows_11_24h2 | < 10.0.26100.2894 | 10.0.26100.2894 |
| microsoft | windows_11_version_22h2 | >= 10.0.22621.0 < 10.0.22621.4751 | 10.0.22621.4751 |
| microsoft | windows_11_version_22h3 | >= 10.0.22631.0 < 10.0.22631.4751 | 10.0.22631.4751 |
| microsoft | windows_11_version_23h2 | >= 10.0.22631.0 < 10.0.22631.4751 | 10.0.22631.4751 |
| microsoft | windows_11_version_24h2 | >= 10.0.26100.0 < 10.0.26100.2894 | 10.0.26100.2894 |
| microsoft | windows_server_2022_23h2 | < 10.0.25398.1369 | 10.0.25398.1369 |
| microsoft | windows_server_2025 | < 10.0.26100.2894 | 10.0.26100.2894 |
| microsoft | windows_server_2025 | >= 10.0.26100.0 < 10.0.26100.2894 | 10.0.26100.2894 |
| msrc | windows_10_version_21h2_for_x64-based_systems | — | — |
| msrc | windows_10_version_22h2_for_x64-based_systems | — | — |
| msrc | windows_11_version_22h2_for_arm64-based_systems | — | — |
| msrc | windows_11_version_22h2_for_x64-based_systems | — | — |
| msrc | windows_11_version_23h2_for_arm64-based_systems | — | — |
| msrc | windows_11_version_23h2_for_x64-based_systems | — | — |
| msrc | windows_11_version_24h2_for_arm64-based_systems | — | — |
| msrc | windows_11_version_24h2_for_x64-based_systems | — | — |
| msrc | windows_server_2022_23h2_edition | — | — |
| msrc | windows_server_2025 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability resides in the Hyper-V NT Kernel Integration VSP driver, which handles communications between the host OS and container-type VMs (Windows Sandbox, Microsoft Defender Application Guard). Monitor for unexpected SYSTEM-level process creation originating from these container environments. ↗
- →This is a local use-after-free EoP — not a guest-to-host escape. Detection focus should be on local privilege escalation to SYSTEM from a low-privileged process on the host, particularly processes associated with Windows Sandbox or MDAG. ↗
- →Exploitation has been detected in the wild (per MSRC). Prioritize alerting on anomalous SYSTEM token acquisition by non-privileged processes on Windows hosts running Windows Sandbox or MDAG features. ↗
- ·This vulnerability does NOT affect traditional Hyper-V VM environments. It is specific to container-type VMs (Windows Sandbox, MDAG) that use the NT Kernel Integration VSP driver. Do not apply detection logic to standard Hyper-V guest/host boundaries. ↗
- ·This is a local elevation of privilege only — not a guest-to-host escape. Scope detection rules accordingly; network-based or cross-VM lateral movement indicators are not applicable here. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6p26-7gx2-v5m2: Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability
ghsa_unreviewed·2025-01-14
CVE-2025-21335 [HIGH] CWE-416 GHSA-6p26-7gx2-v5m2: Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability
Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability
VulnCheck
Microsoft Windows Hyper-V NT Kernel Integration VSP Use-After-Free Vulnerability
vulncheck·2025·CVSS 7.8
CVE-2025-21335 [HIGH] CWE-416 Microsoft Windows Hyper-V NT Kernel Integration VSP Use-After-Free Vulnerability
Microsoft Windows Hyper-V NT Kernel Integration VSP Use-After-Free Vulnerability
Microsoft Windows Hyper-V NT Kernel Integration VSP contains a use-after-free vulnerability that allows a local attacker to gain SYSTEM privileges.
Affected: Microsoft Windows
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2025-Jan; https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21335; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.kelacyber.com/resources/research/2025_midyear_threat_report/; https://www.loginsoft.com/reports/annually/vulnerability-intelligence-report-2025
Remediation Due: 2025
CISA
Microsoft Windows Hyper-V NT Kernel Integration VSP Use-After-Free Vulnerability
cisa·2025-01-14·CVSS 7.8
CVE-2025-21335 [HIGH] CWE-416 Microsoft Windows Hyper-V NT Kernel Integration VSP Use-After-Free Vulnerability
Vulnerability: Microsoft Windows Hyper-V NT Kernel Integration VSP Use-After-Free Vulnerability
Affected: Microsoft Windows
Microsoft Windows Hyper-V NT Kernel Integration VSP contains a use-after-free vulnerability that allows a local attacker to gain SYSTEM privileges.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-21335 ; https://nvd.nist.gov/vuln/detail/CVE-2025-21335
Remediation Due Date: 2025-02-04
Microsoft
Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability
vendor_msrc·2025-01-14·CVSS 7.8
CVE-2025-21335 [HIGH] CWE-416 Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability
Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability
FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability?
An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
FAQ: Does this vulnerability exist in the Hyper-V server?
No, the Hyper-V NT Kernel Integration Virtual Service Provider (VSP) is a component used for communications between the host OS and container-type VMs, such as Windows Sandbox and Microsoft Defender Application Guard (MDAG). It is not in a traditional Hyper-V VM environment. Whereas traditional Hyper-V VMs have a strong boundary between the host and the guest for isolation purposes, container-type VMs like MDAG simulate that they are running on the host. The Hyper-V NT
No detection rules found.
No public exploits indexed.
Qualys
Zero-Day Vulnerability Protection | Detect & Stop Threats | Qualys
blogs_qualys·2025-04-18
Zero-Day Vulnerability Protection | Detect & Stop Threats | Qualys
## Table of Contents
Why Zero-Day Vulnerabilities Demand a New Security Mindset
Understanding Zero-Day Vulnerabilities, Exploits, and Attacks
How Do Zero-Day Attacks Work?
The Zero-Day Lifecycle: From Discovery to Exploitation
Real-World Zero-Day Attacks and Their Impact
Why Zero-Day Vulnerabilities Are So Dangerous
Detecting Zero-Day Vulnerabilities
Challenges in Identifying Zero-Day Vulnerabilities
How Qualys Helps Organizations Manage Zero-Day Risk
Conclusion
Frequently Asked Questions (FAQs)
Executive Summary
Zero-day vulnerabilities pose a significant and growing risk as opportunistic attackers rapidly exploit unknown flaws before fixes are available. These threats can bypass traditional defenses, spread rapidly, and cause widespread disruption across organizations.
To r
Qualys
Zero-Day Vulnerability Protection | Detect & Stop Threats | Qualys
blogs_qualys·2025-04-18
Zero-Day Vulnerability Protection | Detect & Stop Threats | Qualys
#### Table of Contents
- Why Zero-Day Vulnerabilities Demand a New Security Mindset
- Understanding Zero-Day Vulnerabilities, Exploits, and Attacks
- How Do Zero-Day Attacks Work?
- The Zero-Day Lifecycle: From Discovery to Exploitation
- Real-World Zero-Day Attacks and Their Impact
- Why Zero-Day Vulnerabilities Are So Dangerous
- Detecting Zero-Day Vulnerabilities
- Challenges in Identifying Zero-Day Vulnerabilities
- How Qualys Helps Organizations Manage Zero-Day Risk
- Conclusion
- Frequently Asked Questions (FAQs)
Executive Summary
Zero-day vulnerabilities pose a significant and growing risk as opportunistic attackers rapidly exploit unknown flaws before fixes are available. These threats can bypass traditional defenses, spread rapidly, and cause widespread disruption across organi
Bleepingcomputer
Microsoft January 2025 Patch Tuesday fixes 8 zero-days, 159 flaws
blogs_bleepingcomputer·2025-01-14·CVSS 7.8
[HIGH] Microsoft January 2025 Patch Tuesday fixes 8 zero-days, 159 flaws
## Microsoft January 2025 Patch Tuesday fixes 8 zero-days, 159 flaws
## Lawrence Abrams
40 Elevation of Privilege Vulnerabilities
14 Security Feature Bypass Vulnerabilities
58 Remote Code Execution Vulnerabilities
24 Information Disclosure Vulnerabilities
20 Denial of Service Vulnerabilities
5 Spoofing Vulnerabilities
To learn more about the non-security updates released today, you can review our dedicated articles on the Windows 11 KB5050009 & KB5050021 cumulative updates and the Windows 10 KB5048652 cumulative update.
## Three actively exploited zero-day disclosed
This month's Patch Tuesday fixes three actively exploited and five publicly exposed zero-day vulnerabilities.
Microsoft classifies a zero-day flaw as one that is publicly disclosed or actively exploited while no offi
Krebs
Microsoft: Happy 2025. Here’s 161 Security Updates
blogs_krebs·2025-01-14·CVSS 9.8
[CRITICAL] Microsoft: Happy 2025. Here’s 161 Security Updates
Microsoft today unleashed updates to plug a whopping 161 security vulnerabilities in Windows and related software, including three “zero-day” weaknesses that are already under active attack. Redmond’s inaugural Patch Tuesday of 2025 bundles more fixes than the company has shipped in one go since 2017.
Rapid7‘s Adam Barnett says January marks the fourth consecutive month where Microsoft has published zero-day vulnerabilities on Patch Tuesday without evaluating any of them as critical severity at time of publication. Today also saw the publication of nine critical remote code execution (RCE) vulnerabilities.
The Microsoft flaws already seeing active attacks include CVE-2025-21333, CVE-2025-21334 and, you guessed it– CVE-2025-21335. These are sequential because all reside in Windows Hyper-V
Tenable
Microsoft’s January 2025 Patch Tuesday Addresses 157 CVEs (CVE-2025-21333, CVE-2025-21334, CVE-2025-21335)
blogs_tenable·2025-01-14·CVSS 7.8
[HIGH] Microsoft’s January 2025 Patch Tuesday Addresses 157 CVEs (CVE-2025-21333, CVE-2025-21334, CVE-2025-21335)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
Microsoft and Adobe Patch Tuesday, January 2025 Security Update Review
blogs_qualys·2025-01-14
Microsoft and Adobe Patch Tuesday, January 2025 Security Update Review
## Table of Contents
Microsoft Patch Tuesday for January 2025
Adobe Patches for January 2025
Zero-day Vulnerabilities Patched in January Patch Tuesday Edition
Critical Severity Vulnerabilities Patched in January Patch Tuesday Edition
Other Microsoft Vulnerability Highlights
Microsoft Release Summary
Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
Rapid Response with Patch Management (PM)
EVALUATE Vendor-Suggested Mitigation with Policy Compliance (PC)
Qualys Monthly Webinar Series
Happy New Year! As the calendar turns to January 2025, Microsoft’s first Patch Tuesday of 2025 has arrived. From zero-days to critical vulnerabilities, here’s what deserves your attention. Here’s a breakdown of what’s been patched.
## Microsoft Patch Tu
Qualys
Microsoft and Adobe Patch Tuesday, January 2025 Security Update Review | Qualys
blogs_qualys·2025-01-14
Microsoft and Adobe Patch Tuesday, January 2025 Security Update Review | Qualys
#### Table of Contents
- Microsoft Patch Tuesday for January 2025
- Adobe Patches for January 2025
- Zero-day Vulnerabilities Patched in January Patch Tuesday Edition
- Critical Severity Vulnerabilities Patched in January Patch Tuesday Edition
- Other Microsoft Vulnerability Highlights
- Microsoft Release Summary
- Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
- Rapid Response with Patch Management (PM)
- EVALUATE Vendor-Suggested Mitigation with Policy Compliance (PC)
- Qualys Monthly Webinar Series
Happy New Year! As the calendar turns to January 2025, Microsoft’s first Patch Tuesday of 2025 has arrived. From zero-days to critical vulnerabilities, here’s what deserves your attention. Here’s a breakdown of what’s been patched.
## Micro
Krebs
Microsoft: Happy 2025. Here’s 161 Security Updates
blogs_krebs·2025-01-14·CVSS 9.8
[CRITICAL] Microsoft: Happy 2025. Here’s 161 Security Updates
Microsoft today unleashed updates to plug a whopping 161 security vulnerabilities in Windows and related software, including three “zero-day” weaknesses that are already under active attack. Redmond’s inaugural Patch Tuesday of 2025 bundles more fixes than the company has shipped in one go since 2017.
Rapid7 ‘s Adam Barnett says January marks the fourth consecutive month where Microsoft has published zero-day vulnerabilities on Patch Tuesday without evaluating any of them as critical severity at time of publication. Today also saw the publication of nine critical remote code execution (RCE) vulnerabilities.
The Microsoft flaws already seeing active attacks include CVE-2025-21333 , CVE-2025-21334 and, you guessed it– CVE-2025-21335 . These are sequential because all reside in Windows Hype
Crowdstrike
January 2025 Patch Tuesday: Updates and Analysis
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] January 2025 Patch Tuesday: Updates and Analysis
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand AT
2025-01-14
Published
2025-01-14
Added to CISA KEV
Exploited in the wild