Microsoft Patches 3 Critical Zero-Day Flaws in Latest Update

Microsoft started 2025 with a significant rollout of security patches to address vulnerabilities across its software portfolio. This month’s update includes fixes for 161 security vulnerabilities and three zero-day flaws actively exploited in attacks. This article provides an in-depth look at the updates, implications, and steps for safeguarding systems.

Highlights of the January 2025 Patches of 3 Critical Zero-Day Flaws

The updates address vulnerabilities in various Microsoft products, with 11 flaws rated as Critical and 149 as Important. Additionally, one vulnerability (CVE-2024-7344) related to a Windows Secure Boot bypass was addressed but not assigned a severity rating.

The Zero Day Initiative (ZDI) highlighted this patch as marking the most vulnerabilities addressed in a month since at least 2017.

Zero-Day Vulnerabilities Under Active Exploitation

Among the prominent updates are three zero-day vulnerabilities in Windows Hyper-V NT Kernel Integration VSP:

• CVE-2025-21333
• CVE-2025-21334
• CVE-2025-21335

Each has a CVSS score of 7.8, posing a significant risk, as attackers can use them to gain SYSTEM privileges.

These privilege escalation vulnerabilities are likely part of post-compromise activities, meaning attackers have already gained initial access to the target systems. Satnam Narang, a senior research engineer at Tenable, emphasized their role in expanding control after an initial breach.

Adam Barnett of Rapid7 explained that these vulnerabilities exist within the Virtualization Service Provider (VSP), a component responsible for synthetic device support in Hyper-V instances. Since the VSP operates as a security boundary, its exploitation underscores the need for heightened security measures in virtualized environments.

Impact on Federal Agencies

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added these vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to apply patches by February 4, 2025.

Publicly Known Vulnerabilities

Five additional vulnerabilities have been flagged as publicly known before this release:

1. CVE-2025-21186, CVE-2025-21366, CVE-2025-21395 (Microsoft Access Remote Code Execution Vulnerabilities): Exploiting these requires tricking users into opening specially crafted files.
2. CVE-2025-21275 (Windows App Package Installer Elevation of Privilege Vulnerability): Enables attackers to elevate privileges on affected systems.
3. CVE-2025-21308 (Windows Themes Spoofing Vulnerability): This vulnerability may lead to improper disclosure of an NTLM hash and was identified as a bypass for a previously addressed vulnerability (CVE-2024-38030).

Critical Vulnerabilities

Five Critical vulnerabilities were addressed, including:

1. CVE-2025-21294 – Microsoft Digest Authentication Remote Code Execution Vulnerability (CVSS score: 8.1)
2. CVE-2025-21295 – SPNEGO Extended Negotiation Security Mechanism Remote Code Execution Vulnerability (CVSS score: 8.1)
3. CVE-2025-21298 – Windows Object Linking and Embedding Remote Code Execution Vulnerability (CVSS score: 9.8)
4. CVE-2025-21307 – Windows Reliable Multicast Transport Driver Remote Code Execution Vulnerability (CVSS score: 9.8)
5. CVE-2025-21311 – Windows NTLM V1 Elevation of Privilege Vulnerability (CVSS score: 9.8)

Case Studies of Exploitation

CVE-2025-21298: Exploitation involves sending a specially crafted email to the victim. When Outlook opens or previews the email, attackers can execute remote code on the victim’s system.

CVE-2025-21295: This vulnerability enables unauthenticated attackers to execute malicious code remotely, potentially compromising enterprise infrastructure. Despite its high attack complexity, its severity lies in its ability to bypass core security layers without user interaction.

CVE-2025-21294 involves exploiting a race condition during the Microsoft Digest authentication process. Attackers can trigger a use-after-free scenario, allowing them to execute arbitrary code.

Information Disclosure Vulnerability in BitLocker

CVE-2025-21210 (CVSS score: 4.2) affects Windows BitLocker and could allow attackers to recover plaintext hibernation images if they gain physical access to a victim’s hard disk.

Kev Breen, a senior director at Immersive Labs, highlighted the potential impact: “RAM often contains sensitive data, such as credentials or personally identifiable information (PII), which can be extracted using free tools from hibernation files.”

Mitigation Recommendations

To mitigate risks from these vulnerabilities, users and organizations should:

1. Apply Patches Immediately
2. Microsoft’s January 2025 updates address all listed vulnerabilities. Ensure all systems are updated, particularly in environments utilizing Hyper-V or BitLocker.
3. Enhance Email Security
   • Configure email clients to display messages in plain text.
   • Educate users about the dangers of opening files or emails from unknown sources.
4. Strengthen Privilege Management
5. Regularly review and restrict administrative privileges to minimize the impact of privilege escalation attacks.
6. Monitor Network Activity
7. Implement tools to detect unusual activity, especially in systems utilizing Hyper-V.
8. Encrypt and Secure Sensitive Data
   • Use full-disk encryption to prevent unauthorized access to hard drives.
   • Regularly review policies for securing data at rest and in transit.

Broader Implications

This patch release highlights the increasing complexity of cybersecurity threats. It underscores the importance of adopting proactive strategies to manage vulnerabilities effectively. While many addressed flaws reflect Microsoft’s commitment to security, it also reveals the persistent challenges in maintaining secure software environments.

To safeguard against emerging threats, organizations must stay vigilant, prioritize critical updates, and foster a culture of cybersecurity awareness.

For more:

https://thehackernews.com/2025/01/3-actively-exploited-zero-day-flaws.html