On the first Patch Tuesday of 2025, Microsoft addressed three under-attack privilege escalation vulnerabilities in its Hyper-V hypervisor, among many other issues that deserved attention.
This reports The Register. The Hyper-V vulnerabilities are CVE-2025-21333, CVE-2025-21334 and CVE-2025-21335. They are rated as significant in terms of severity, with a score of 7.8 on the CVSS scale. And relate to memory security errors: two use-after-free and one heap buffer overflow.
This is worrisome because it allows an attacker to gain SYSTEM privileges, the highest power on a Windows system. However, the vulnerabilities are not presented as guest exploits but rather as a way for a malicious user or malware already present on a machine to obtain the highest privileges. The problems are present in Windows 10 and 11 and also in Windows Server 2022 and 2025.
Microsoft did not detail the nature or extent of the exploit.
Three critical vulnerabilities
In addition to Hyper-V, Microsoft has fixed three vulnerabilities that have been rated 9.8 out of 10 and are considered critical.
First is CVE-2025-21311, another privilege escalation vulnerability in the NTLMv1 authentication system that can be exploited remotely. Microsoft recommends setting the mitigation setting LmCompatibilityLevel to its maximum value (5), which disables NTLMv1 while NTLM2 continues to function.
In addition, CVE-2025-21298 is a vulnerability in the Windows Object Linking and Embedding (OLE) framework. Exploitation can occur when a user opens a specially prepared Outlook e-mail. This issue affects Windows 10, 11, and supported versions of Windows Server starting in 2016.
Finally, CVE-2025-21307 concerns a vulnerability in Windows Pragmatic General Multicast (PGM). It can be exploited by sending specially prepared packets to an open PGM socket. Although PGM is usually not publicly available, systems that ignore that advice are vulnerable.
Sub-9.0 CVSS vulnerabilities.
Although the following three vulnerabilities score lower on the CVSS scale, Microsoft considers them critical because they could allow unwanted code to execute without user interaction.
At issue is CVE-2025-21296. That is an issue with Branchcache, which can be exploited within the same local network by winning a race condition. In addition, CVE-2025-21295. This involves a flaw in Microsoft’s SPNEGO Extended Negotiation Mechanism (NEGOEX). This allows an attacker to execute remote code. And finally, CVE-2025-21294, a vulnerability in Microsoft’s Digest Authentication. Which can lead to use-after-free and arbitrary code execution.
Two critical Excel flaws, CVE-2025-21362 and CVE-2025-21354, allow attackers to execute code when a user opens a malicious file.