Microsoft kicked off 2025 with a new set of patches for a total of 161 security vulnerabilities across its software portfolio, including three zero-days that have been actively exploited in attacks.
Of the 161 flaws, 11 are rated Critical, and 149 are rated Important in severity. One other flaw, a non-Microsoft CVE related to a Windows Secure Boot bypass (CVE-2024-7344), has not been assigned any severity. According to the Zero Day Initiative, the update marks the largest number of CVEs addressed in a single month since at least 2017.
The fixes are in addition to seven vulnerabilities the Windows maker addressed in its Chromium-based Edge browser since the release of December 2024 Patch Tuesday updates.
Prominent among the patches released by Microsoft is a trio of flaws in Windows Hyper-V NT Kernel Integration VSP (CVE-2025-21333, CVE-2025-21334, and CVE-2025-21335, CVSS scores: 7.8) that the company said has come under active exploitation in the wild –
“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” the company said in an advisory for the three vulnerabilities.
As is customary, it’s currently not known how these shortcomings are being exploited, and in what context. Microsoft also makes no mention of the identity of the threat actors weaponizing them or the scale of the attacks.
But given that they are privilege escalation bugs, they are very likely used as part of post-compromise activity, where an attacker has already gained access to a target system by some other means, Satnam Narang, senior staff research engineer at Tenable, pointed out.
“The Virtualization Service Provider (VSP) resides in the root partition of a Hyper-V instance, and provides synthetic device support to child partitions over the Virtual Machine Bus (VMBus): it’s the foundation of how Hyper-V allows the child partition to trick itself into thinking that it’s a real computer,” Rapid7’s Lead Software Engineer, Adam Barnett, told The Hacker News.
“Given that the entire thing is a security boundary, it’s perhaps surprising that no Hyper-V NT Kernel Integration VSP vulnerabilities have been acknowledged by Microsoft until today, but it won’t be at all shocking if more now emerge.”
The exploitation of Windows Hyper-V NT Kernel Integration VSP has also resulted in the U.S. Cybersecurity and Infrastructure Security Agency (CISA) adding them to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the fixes by February 4, 2025.
Separately, Redmond has warned that five of the bugs are publicly known –
It’s worth noting that CVE-2025-21308, which could lead to improper disclosure of an NTLM hash, was previously flagged by 0patch as a bypass for CVE-2024-38030. Micropatches for the vulnerability were released in October 2024.
All the three Microsoft Access issues, on the other hand, have been credited to Unpatched.ai, an AI-guided vulnerability discovery platform. Action1 also noted that while the flaws are categorized as remote code execution (RCE) vulnerabilities, exploitation requires an attacker to convince the user to open a specially crafted file.
The update is also notable for closing out five Critical severity flaws –
- CVE-2025-21294 (CVSS score: 8.1) – Microsoft Digest Authentication Remote Code Execution Vulnerability
- CVE-2025-21295 (CVSS score: 8.1) – SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Remote Code Execution Vulnerability
- CVE-2025-21298 (CVSS score: 9.8) – Windows Object Linking and Embedding (OLE) Remote Code Execution Vulnerability
- CVE-2025-21307 (CVSS score: 9.8) – Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability
- CVE-2025-21311 (CVSS score: 9.8) – Windows NTLM V1 Elevation of Privilege Vulnerability
“In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted email to the victim,” Microsoft said in its bulletin for CVE-2025-21298.
“Exploitation of the vulnerability might involve either a victim opening a specially crafted email with an affected version of Microsoft Outlook software, or a victim’s Outlook application displaying a preview of a specially crafted email . This could result in the attacker executing remote code on the victim’s machine.”
To safeguard against the flaw, it’s recommended that users read email messages in plain text format. It’s also advising the use of Microsoft Outlook to reduce the risk of users opening RTF Files from unknown or untrusted sources.
“The CVE-2025-21295 vulnerability in the SPNEGO Extended Negotiation (NEGOEX) security mechanism allows unauthenticated attackers to run malicious code remotely on affected systems without user interaction,” Saeed Abbasi, manager of vulnerability research at Qualys Threat Research Unit, said.
“Despite a high attack complexity (AC:H), successful exploitation can fully compromise enterprise infrastructure by undermining a core security mechanism layer, leading to potential data breaches. Because no valid credentials are required, the risk of widespread impact is significant, highlighting the need for immediate patches and vigilant mitigation.”
As for CVE-2025-21294, Microsoft said a bad actor could successfully exploit this vulnerability by connecting to a system which requires digest authentication, triggering a race condition to create a use-after-free scenario, and then leveraging it to execute arbitrary code.
“Microsoft Digest is the application responsible for performing initial authentication when a server receives the first challenge response from a client,” Ben Hopkins, cybersecurity engineer at Immersive Labs, said. “The server works by checking that the client has not already been authenticated. CVE-2025-21294 involves exploitation of this process for attackers to achieve remote code execution (RCE).”
Among the list of vulnerabilities that have been tagged as more likely to be exploited is an information disclosure flaw affecting Windows BitLocker (CVE-2025-21210, CVSS score: 4.2) that could allow for the recovery of hibernation images in plaintext assuming an attacker is able to gain physical access to the victim machine’s hard disk.
“Hibernation images are used when a laptop goes to sleep and contains the contents that were stored in RAM at the moment the device powered down,” Kev Breen, senior director of threat research at Immersive Labs, said.
“This presents a significant potential impact as RAM can contain sensitive data (such as passwords, credentials, and PII) that may have been in open documents or browser sessions and can all be recovered with free tools from hibernation files.”
Software Patches from Other Vendors
Besides Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including —
