Patch Tuesday January 2025

CVE-2025-21335 - 7.8 - Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege 

Top of the list for patches to apply in the first Patch Tuesday of the year is a trio for Windows Hyper-V tracked under the CVEs CVE-2025-21335, CVE-2025-21333 and CVE-2025-21334. Don’t be fooled by their relatively low CVSS score of 7.8. These are being actively exploited by threat actors in the wild. 

Hyper-V is heavily embedded in modern Windows 11 operating systems and used for a range of security tasks including device guard and credential guard.

Very little information is provided by Microsoft about how threat actors are exploiting this vulnerability; however, they are listed as Elevation of Privilege Vulnerabilities – meaning that if an attacker has already gained access to a host through something like a phishing attack, then they could use these vulnerabilities to gain SYSTEM level permissions on the infected device. 

With SYSTEM level permissions, threat actors can enable other attack vectors like disabling security tooling or dumping credentials with tools like mimikatz to pivot across enterprise domains. These techniques are frequently observed by both nation-state and financially motivated groups like ransomware operators. 

CVE-2025-21210 - 4.2 - Windows BitLocker Information Disclosure Vulnerability

A vulnerability listed as an information disclosure in Bitlocker is marked as "Exploitation More Likely” by Microsoft. Bitlocker is the full disk encryption that is designed to keep the device secure when it is offline and prevent threat actors with physical access or stolen devices from accessing any potential sensitive data on the host. This vulnerability CVE-2025-21210 suggests that in some situations the hibernation images may not be fully encrypted and could be recovered in plain text. 

Hibernation images are used when a laptop goes to sleep and contains the contents that were stored in RAM at the moment the device powered down. This presents a significant potential impact as RAM can contain sensitive data (such as passwords, credentials and PII) that may have been in open documents or browser sessions and can all be recovered with free tools from hibernation files. 

Also of concern is that the Bitlocker keys could be recovered from RAM, and may be captured in hibernation files again free tooling exists to recover bitlocker keys from hibernation files. 

There is a large caveat here that physical access to the device is likely to be required, meaning laptop theft are the most likely sources for threat actors to obtain devices. If you have users with sensitive data traveling often, then this should be a high priority to patch. 

CVE-2025-21298 - 9.8 - Windows OLE Remote Code Execution Vulnerability

Another CVE high on the list to patch sooner rather than later is CVE-2025-21298. While not actively exploited in the wild, Microsoft lists it as “Exploitation More Likely.” This vulnerability is a remote code execution exploit that can be triggered with a malicious RTF document. Microsoft has given this vulnerability a Severity rating of Critical and CVSS Score of 9.8—almost a perfect 10! 

RTF files are documents that are typically opened in Office applications like Microsoft Word; these files are often sent as attachments or as links through phishing campaigns with attractive names as lures to convince users to open them, for organizations not able to patch a workaround provided by Microsoft is to open RTF files from unknown sources in Outlook using a plain text format. 

CVE-2025-21294 - 8.1 - Microsoft Digest Authentication Remote Code Execution Vulnerability

Microsoft Digest is the application responsible for performing initial authentication when a server receives the first challenge response from a client. The server works by checking that the client has not already been authenticated. Listed as one of the highest rated vulnerabilities by Microsoft, CVE-2025-21294 involves exploitation of this process for attackers to achieve remote code execution (RCE).

CVE-2025-21311 - 9.8 - Windows NTLM V1 Elevation of Privilege Vulnerability

The NTLMv1 (NT LAN Manager version 1) is a Microsoft authentication protocol that uses a challenge-response mechanism to verify a user's password. Microsoft has graded this vulnerability at the maximum severity rating of “critical” because of the impact it has upon exploitation. What makes this vulnerability so impactful is the fact that it is remotely exploitable, so attackers can reach the compromised machine(s) over the internet, and the attacker does not need significant knowledge or skills to achieve repeatable success with the same payload across any vulnerable component. 

NTLMv1 is an older protocol that is still used in industry, Microsoft provides the mitigation advice to set the LmCompatibilityLvl to its maximum value (5) on all systems to prevent usage of the older NTLMv1 protocol, with the NTLMv2 protocol being favoured as the vulnerability does not exist in the second version. 

 

CVE-2025-21314 - 6.5 - Windows SmartScreen Spoofing Vulnerability

The human element is a major target of cyber criminals. This latest vulnerability does not score very highly on the CVSS scale, sitting at a mere 6.5, but it highlights just how often phishing, spoofing, and other techniques are still being used to great success alongside technically driven exploitation.

Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files. Exploitation of this vulnerability requires an attacker to send a malicious file to the victim, which they would then need to interact with, which is why the CVSS score is lower as the attacker requires user interaction to gain access to the victim's machine. While details of this particular vulnerability are scarce, previous vulnerabilities revolving around deceptive misuse of Microsoft SmartScreen, such as CVE-2024-21412 have allowed attackers to bypass SmartScreen warnings, preventing them from being displayed to the user, along with preventing SmartScreen from flagging malicious software disguised as legitimate program installers. The clear impact here is the potential for malware being dropped onto the machine, allowing an attacker to steal data, elevate their privileges, or deploy ransomware to adversely affect an organization's access to their sensitive data. Organizations must prepare their workforces for threats and ensure their people have the necessary cyber capabilities to confront attacks.

 

CVE-2025-21297 & CVE-2025-21309 - 8.1 - Windows Remote Desktop Services Remote Code Execution Vulnerability

Critical RDP vulnerabilities have been amongst some of the most prolific vulnerabilities we have seen over the years. Bluekeep and other related vulnerabilities called DejaBlue showed many possible exploits inside RDP. 

This vulnerability, while Microsoft has said the exploitation is less likely, might be an opportunity for threat actors to take advantage of the newer remote world we live in by researching and finding the exploit for this vulnerability. It is described as a race condition which triggers a use-after-free and can eventually be leveraged for arbitrary code execution. 

CVE-2025-21309, however, has been described as exploitation more likely, and has been assigned the weakness of Sensitive data storage in improperly locked memory. This weakness can mean that secrets needed to fully exploit the system are available to an attacker taking advantage of the weakness and in the context of RDP, this weakness can lead to severe security vulnerabilities, particularly when sensitive data such as authentication credentials or session information is exposed to unauthorized access.

Anytime a bug for RDP comes up, it is always recommended to patch. 

CVE-2025-21364 -- Microsoft Excel Security Feature Bypass Vulnerability

CVE-2025-21362 is a critical vulnerability in Microsoft Excel involving a Use After Free (CWE-416) weakness, allowing attackers to achieve Remote Code Execution (RCE) under specific conditions. The vulnerability arises when Excel improperly manages memory during the parsing of certain objects within a file. An attacker can craft a malicious Excel file containing specially designed elements that trigger the vulnerability when processed. This can occur even if the file is only previewed in the Preview Pane, as Excel partially renders the file to display its contents. The exploit leverages freed memory references, allowing the attacker to execute arbitrary code in the context of the affected process. While the CVSS metric lists the attack vector as local, indicating that the code execution occurs on the victim's machine, the attacker has the ability to deliver the malicious file from a remote location, such as through email or a compromised website.

CVE-2025-21354 is a critical vulnerability in Microsoft Excel caused by an Untrusted Pointer Dereference (CWE-822) weakness, leading to potential Remote Code Execution (RCE). The vulnerability occurs when Excel improperly validates and handles pointer references while processing certain data structures within a file. By crafting a malicious Excel file containing specifically tailored pointers, an attacker can manipulate memory access during the file's parsing. This manipulation may result in arbitrary code execution in the context of the Excel process. Notably, this vulnerability can be exploited through the Preview Pane, as Excel partially processes the file to generate a preview, triggering the vulnerability without the file being explicitly opened.

The worry for these vulnerabilities in Excel is that they are more likely to be exploited in the wild, meaning Microsoft likely suspects they can be weaponized by attackers. With social engineering still being one the main ways for attackers to gain initial access, any vulnerabilities in Excel need to be taken seriously by any company that uses it and patch it immediately.

CVE-2025-21307 - 9.8 - Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability 

The Windows Reliable Multicast Transport Driver is a system component in Microsoft Windows that facilitates reliable multicast communication. It underpins protocols like Pragmatic General Multicast (PGM) to provide efficient and reliable data delivery to multiple recipients in a network, ensuring that all intended recipients receive the transmitted data correctly. 

Windows Pragmatic General Multicast (PGM) is a reliable multicast protocol supported by Microsoft Windows. It is designed to facilitate the efficient and reliable delivery of data to multiple recipients simultaneously over a network and is primarily used by Microsoft Message Queuing (MSMQ) to support reliable multicast messaging. However, it must be explicitly configured to use PGM as its transport protocol.

This vulnerability is a use-after-free memory corruption bug that requires no interaction from a user, while PGM is not on by default, if a company is using it and there is a program listening on for PGM communication on a port, an unauthenticated attacker only needs to send a malicious packet to the server and the vulnerability will begin. And being a driver that contains the vulnerability, an attacker will gain kernel access to the machine if an attack is successful. Therefore, it is highly recommended that businesses that use this protocol, patch immediately. 

 

CVE-2025-21292 - 8.8 - Windows Search Service Elevation of Privilege Vulnerability

CVE-2025-21292 highlights a critical issue within the Windows Search Service, where an Improper Control of Code Generation (CWE-94) enables attackers to inject and execute arbitrary code, leading to Elevation of Privilege (EoP). The vulnerability stems from how the Windows Search Service processes and executes certain inputs, potentially allowing malicious actors to exploit its functionality to gain higher privileges. Since the Windows Search Service operates as a core component of the operating system, its exploitation can lead to widespread system compromise. For businesses, this is particularly concerning because the search functionality is ubiquitous, constantly running in the background to index files and provide quick access to data. 

An exploited vulnerability in this service could allow attackers to escalate privileges and perform unauthorized actions, such as installing malware or accessing sensitive data. The seamless integration of Windows Search into everyday workflows amplifies the risk, as any compromise to its security could impact the entire system's integrity. Given the importance of having elevation of privilege exploits in attackers' arsenal kits and the fact that Microsoft has also said this vulnerability is more likely to be exploited and therefore more likely to be weaponised, this vulnerability should be patched immediately.