cbcvebase.
CVE-2025-21335
published 2025-01-14

CVE-2025-21335: Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability

PriorityP182high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-02-04
Exploited in the wild
EPSS
1.36%
68.3th percentile
Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability

Affected

24 ranges
VendorProductVersion rangeFixed in
microsoftwindows_10_21h2< 10.0.19044.537110.0.19044.5371
microsoftwindows_10_22h2< 10.0.19045.537110.0.19045.5371
microsoftwindows_10_version_21h2>= 10.0.19044.0 < 10.0.19044.537110.0.19044.5371
microsoftwindows_10_version_22h2>= 10.0.19045.0 < 10.0.19045.537110.0.19045.5371
microsoftwindows_11_22h2< 10.0.22621.475110.0.22621.4751
microsoftwindows_11_23h2< 10.0.22631.475110.0.22631.4751
microsoftwindows_11_24h2< 10.0.26100.289410.0.26100.2894
microsoftwindows_11_version_22h2>= 10.0.22621.0 < 10.0.22621.475110.0.22621.4751
microsoftwindows_11_version_22h3>= 10.0.22631.0 < 10.0.22631.475110.0.22631.4751
microsoftwindows_11_version_23h2>= 10.0.22631.0 < 10.0.22631.475110.0.22631.4751
microsoftwindows_11_version_24h2>= 10.0.26100.0 < 10.0.26100.289410.0.26100.2894
microsoftwindows_server_2022_23h2< 10.0.25398.136910.0.25398.1369
microsoftwindows_server_2025< 10.0.26100.289410.0.26100.2894
microsoftwindows_server_2025>= 10.0.26100.0 < 10.0.26100.289410.0.26100.2894
msrcwindows_10_version_21h2_for_x64-based_systems
msrcwindows_10_version_22h2_for_x64-based_systems
msrcwindows_11_version_22h2_for_arm64-based_systems
msrcwindows_11_version_22h2_for_x64-based_systems
msrcwindows_11_version_23h2_for_arm64-based_systems
msrcwindows_11_version_23h2_for_x64-based_systems
msrcwindows_11_version_24h2_for_arm64-based_systems
msrcwindows_11_version_24h2_for_x64-based_systems
msrcwindows_server_2022_23h2_edition
msrcwindows_server_2025

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability resides in the Hyper-V NT Kernel Integration VSP driver, which handles communications between the host OS and container-type VMs (Windows Sandbox, Microsoft Defender Application Guard). Monitor for unexpected SYSTEM-level process creation originating from these container environments.
  • This is a local use-after-free EoP — not a guest-to-host escape. Detection focus should be on local privilege escalation to SYSTEM from a low-privileged process on the host, particularly processes associated with Windows Sandbox or MDAG.
  • Exploitation has been detected in the wild (per MSRC). Prioritize alerting on anomalous SYSTEM token acquisition by non-privileged processes on Windows hosts running Windows Sandbox or MDAG features.
  • ·This vulnerability does NOT affect traditional Hyper-V VM environments. It is specific to container-type VMs (Windows Sandbox, MDAG) that use the NT Kernel Integration VSP driver. Do not apply detection logic to standard Hyper-V guest/host boundaries.
  • ·This is a local elevation of privilege only — not a guest-to-host escape. Scope detection rules accordingly; network-based or cross-VM lateral movement indicators are not applicable here.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.