Microsoft Fixes Three Exploited Windows Hyper-V Bugs

Microsoft issued patches for three elevation-of-privilege zero days in its Windows Hyper-V virtualization platform, and warned that the flaws are being exploited.

The Tuesday patches were part of Microsoft’s regularly scheduled updates for January, which include 159 new CVEs overall. The company’s December 2024 security update included 71 new CVEs, for comparison.

Key Details:

• The three vulnerabilities (CVE-2025-21333, CVE-2025-21334 and CVE-2025-21335) stem from the NT Kernel Integration Virtual Service Provider (VSP), a component of Hyper-V

• According to Microsoft’s security advisories for all three flaws, an attacker that successfully exploits the flaws could gain SYSTEM privileges. Attackers would need to be authenticated and local, according to Tenable researchers

• Microsoft didn’t include further technical details about the exploitation activity in its advisories

Why It Matters: Given the potential impact of the Hyper-V flaws and the fact that they are being actively exploited, security teams will want to prioritize Microsoft’s Tuesday patches. Microsoft has included further information about the update downloads in its security advisories for CVE-2025-21333, CVE-2025-21334 and CVE-2025-21335.

The Big Picture: Beyond these three exploited flaws, Microsoft’s massive patch Tuesday release disclosed several other important vulnerabilities, including critical-severity ones. The most severe of these (ranking 9.8 out of 10 on the CVSS scale) include: 

A remote code execution flaw in the Windows Object Linking and Embedding (OLE) technology, which allows linking in documents (CVE-2025-21298). 

“In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted email to the victim,” according to Microsoft’s security advisory for this flaw. “Exploitation of the vulnerability might involve either a victim opening a specially crafted email with an affected version of Microsoft Outlook software, or a victim's Outlook application displaying a preview of a specially crafted email . This could result in the attacker executing remote code on the victim's machine.”

A remotely exploitable elevation-of-privilege flaw in Windows NTLM V1 (CVE-2025-21311). According to Microsoft, in order to exploit the flaw “an attacker does not require significant prior knowledge of the system and can achieve repeatable success with the payload against the vulnerable component.”

A remote code execution flaw (CVE-2025-21307)  in Windows Reliable Multicast Transport Driver (RMCAST), which can be exploited by an unauthenticated actor that sends specially crafted packets to a Windows Pragmatic General Multicast (PGM) open socket on the server (without user interaction).