Windows

Windows Update Stack Privilege Escalation Vulnerability (CVE-2025-21204) – PoC Released

The flaw, disclosed by researchers at Cyberdom Blog, poses a significant risk to millions of Windows users and organizations relying on windows.

OEM	Windows
Severity	HIGH
CVSS Score	7.8
CVEs	CVE-2025-21204
POC Available	Yes
Actively Exploited	No
Exploited in Wild	No
Advisory Version	1.0

Overview

A high-severity vulnerability in the Windows Update Stack, CVE-2025-21204, enables local attackers to escalate privileges to SYSTEM level by exploiting trusted path abuse through symbolic links. The flaw affects various versions of Windows 10, Windows 11, and Windows Server.

A working proof-of-concept (PoC) exploit has been publicly released by security researcher Elli Shlomo, increasing the urgency to patch. The issue is addressed in the April 2025 cumulative update KB5055523.

Vulnerability Name	CVE ID	Product Affected	Severity	CVSS Score
Windows Update Stack Privilege Escalation	CVE-2025-21204	Windows	HIGH	7.8

Technical Summary

The vulnerability lies in how Windows Update processes such as MoUsoCoreWorker.exe and UsoClient.exe, which run with SYSTEM privileges, handle directory junctions. Attackers can delete the legitimate Tasks directory under C:\ProgramData\Microsoft\UpdateStack and replace it with a symbolic link pointing to an attacker-controlled path. This allows the execution of arbitrary code as SYSTEM without triggering traditional security mechanisms.

A public PoC developed by Elli Shlomo demonstrates this exploit using only native Windows features—no external binaries or code injection required.

This opens the door for a range of attacks, including installing persistent malware, disabling security tools, or accessing sensitive data.

CVE ID	System Affected	Vulnerability Details	Exploit Prerequisites	Impact
CVE-2025-21204	Windows 10 (10.0.10240.0 < 10.0.10240.20978, etc.), Windows 11, Server	Misuse of NTFS junctions allows local attackers to redirect C:\ProgramData\Microsoft\UpdateStack\Tasks to attacker-controlled locations. SYSTEM-level update processes follow these junctions and execute unauthorized code.	Attackers must have local access and limited user privileges; no user interaction required	Local privilege escalation, Code execution

Source: Cyberdom

Recommendations:

Apply the April 2025 cumulative update (KB5055523) immediately.

Restrict ACLs on C:\ProgramData\Microsoft\UpdateStack.

Use AppLocker or WDAC to block symbolic link creation in sensitive directories.

Monitor file operations involving UpdateStack and inetpub, regardless of IIS presence.

Detect attempts to create NTFS junctions targeting update directories.

Conclusion:
CVE-2025-21204 is an example of a rather low-level and impactful threat doing trusted path abuse rather than complex memory corruption. This vulnerability demonstrates how attackers will exploit trust assumptions built into the operating system via native components.

The only defenses available are to immediately patch and harden directory access controls to stop this low-level and minimally visible localized privilege escalation.

References:

https://cyberdom.blog/abusing-the-windows-update-stack-to-gain-system-access-cve-2025-21204/

https://raw.githubusercontent.com/eshlomo1/CloudSec/refs/heads/main/Attacking%20the%20Cloud/CVE-2025-21204/Exploit-CVE2025-UpdateStackLPE-NonAdmin.ps1

https://msrc.microsoft.com/update-guide/releaseNote/2025-Apr

Windows 11 DLL Flaws Open Doors to Privilege Escalation!

Summary

Security researcher John Ostrowski of Compass Security has uncovered two privilege escalation vulnerabilities in Microsoft Windows CVE-2025-24076 and CVE-2025-24994.

DLL hijacking is a technique that exploits how Windows applications load DLLs.

OEM	Windows
Severity	HIGH
CVSS Score	7.3
CVEs	CVE-2025-24994, CVE-2025-24076
No. of Vulnerabilities Patched	02
Actively Exploited	Yes
Exploited in Wild	Yes
Advisory Version	1.0

Overview

These flaws, found in the Mobile Devices management component, stem from insecure DLL loading behavior that could allow unprivileged users to escalate privileges to SYSTEM via a DLL hijacking attack. Microsoft has released fixes for both vulnerabilities as part of its March 2025 Patch Tuesday rollout.

Vulnerability Name	CVE ID	Product Affected	Severity	CVSS Score
Windows Cross Device Service Elevation of Privilege Vulnerability	CVE-2025-24076	Windows	HIGH	7.3
Windows Cross Device Service Elevation of Privilege Vulnerability	CVE-2025-24994	Windows	HIGH	7.3

Technical Summary

The vulnerability arises due to Windows 11’s “Mobile devices” functionality loading a DLL from a user-writable location without verifying its signature. This enables unprivileged users to replace the DLL with a malicious proxy that executes with elevated privileges.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-24076	Windows 11 Version 22H2, 22H3, 23H2, 24H2.	Exploits a race condition in the “Mobile devices” feature via DLL hijacking. The system process loads CrossDevice.Streaming.Source.dll from a user-writable directory (%PROGRAMDATA%\CrossDevice\), allowing privilege escalation when replaced with a malicious DLL. Attackers used Opportunistic Locks and API hooking (via Detours) to reliably exploit the narrow timing window.	Allows SYSTEM-level privilege escalation
CVE-2025-24994	Windows 11 Version 22H2, 22H3, 23H2, 24H2	Involves a similar DLL hijacking flaw in a user-to-user context. A user-level process loads a DLL without signature validation, allowing a malicious DLL to be executed under another user’s context. This vector is less severe but still exploitable.	Allows user-to-user privilege escalation

Remediation:

Implement Security Updates to make sure to install the current security patches made available by Microsoft, specifically March 2025 updates, into affected systems.

Turn off Cross Device Service if not needed, disable the “Mobile Devices” feature in Windows 11 to avoid exploitation of the vulnerabilities.

Look for Suspicious Activity constantly scan system logs for suspect activity, particularly attempts to alter or load DLL files in protected processes.

Restrict User Permissions prevent non-administrative users from changing system files or running processes with elevated privileges.

Support DLL Signature Verification makes all programs support DLL signature verification so that no applications can load unsigned or altered DLL files.

Conclusion:
The discovered DLL hijacking vulnerabilities in Windows 11’s “Mobile devices” feature demonstrate how legacy attack techniques remain potent when integrated into new OS functionalities.

The presence of a working Proof-of-Concept (PoC) reinforces the practical risk posed by these flaws. Organizations should immediately apply the March 2025 security updates and consider employing EDR solutions to monitor for related behavior. Continued vigilance and file access control hardening remain essential in defending against such privilege escalation attacks.

While CVE-2025-24076 enables SYSTEM-level access but CVE-2025-24994 arises from a related user-level process failing to validate DLLs.

This opens the door to user-to-user attacks, though its impact is far less severe compared to its SYSTEM-targeting sibling.

References:

https://securityonline.info/windows-11-privilege-escalation-flaws-uncovered-cve-2025-24076-and-cve-2025-24994/

https://blog.compass-security.com/2025/04/3-milliseconds-to-admin-mastering-dll-hijacking-and-hooking-to-win-the-race-cve-2025-24076-and-cve-2025-24994/

https://msrc.microsoft.com/update-guide/releaseNote/2025-Mar

April Zero-Day Threats Addressed in Microsoft’s Patch Tuesday

Summary of Microsoft April Patch Tuesday

Microsoft released April 2025 Patch Tuesday, addressed 135 security vulnerabilities, including a critical zero-day vulnerability (CVE-2025-29824) already being actively exploited.

126 Microsoft CVEs addressed
9 non-Microsoft CVEs included

Microsoft April Patch Tuesday is released every month on priority basis so that organization can address the vulnerabilities as advised by security analysts

OEM	Microsoft
Severity	Critical
Date of Announcement	2025-04-08
No. of Vulnerabilities Patched	135
Actively Exploited	Yes
Exploited in Wild	Yes
Advisory Version	1.0

Overview

Key updates focus on core Windows components like the CLFS driver, Windows Kernel, and multiple remote code execution (RCE) vulnerabilities across many services including Remote Desktop Gateway, LDap, and TCP/IP.

The update addresses both Microsoft and non-Microsoft vulnerabilities, with a significant emphasis on fixing issues that allow attackers to elevate privileges, execute remote code, or bypass security features.

On a similar note publication of 11 critical remote code execution (RCE) vulnerabilities. 13 browser vulnerabilities have already been published separately this month, and are not included in the total.

Vulnerability Name	CVE ID	Product Affected	Severity	CVSS Score
Microsoft Windows CLFS Driver Use-After-Free Vulnerability [zero-day vulnerability]	CVE-2025-29824	Windows	High	7.8
Remote Desktop Gateway Service RCE Vulnerability	CVE-2025-27480 CVE-2025-27482	Windows	High	8.1
LDAP Service RCE Vulnerability	CVE-2025-26663	Windows	High	8.1
LDAP Client RCE Vulnerability	CVE-2025-26670	Windows	High	8.1

Technical Summary

The April 2025 update fixes several high-severity vulnerabilities in Microsoft products, here are some vulnerabilities details:

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-29824	Windows 10/11, Windows Server	An elevation of privilege vulnerability in the Windows Kernel caused by improper object access. Attackers with local access could exploit this to gain SYSTEM privileges.	Elevation of Privilege
CVE-2025-27480 CVE-2025-27482	Windows RDS	Race condition in Remote Desktop Gateway; triggers use-after-free allowing code execution	Remote Code Execution
CVE-2025-26663	Windows LDAP	Crafted LDAP call causes use-after-free, leading to arbitrary code execution	Remote Code Execution
CVE-2025-26670	Windows TCP/IP	Memory mismanagement during DHCPv6 handling, complex exploit chain.	Remote Code Execution

Source: Microsoft & NVD

In addition to the actively exploited vulnerabilities, several other Vulnerabilities were also addressed:

CVE-2025-27745, CVE-2025-27748, CVE-2025-27749 – Office Use-After-Free RCE Vulnerability

These vulnerabilities allow attackers to execute arbitrary code remotely by exploiting use-after-free conditions when opening malicious Office files, potentially leading to system compromise.

CVE-2025-27752 – Excel Heap Overflow RCE Vulnerability

An attacker could bypass security features via improper neutralization in the Microsoft Management Console, leading to remote code execution and potential full system compromise.

CVE-2025-29791 – Excel Type Confusion RCE Vulnerability

This vulnerability allows local attackers to exploit improper logging in NTFS, potentially granting unauthorized access to sensitive memory areas, which could lead to arbitrary code execution.

CVE-2025-26686 – Windows TCP/IP RCE Vulnerability

Memory mismanagement during DHCPv6 handling could allow remote attackers to execute arbitrary code, requiring a complex exploit chain to be effective.

CVE-2025-27491 – Windows Hyper-V RCE Vulnerability

This vulnerability can be exploited by guest users through social engineering, enabling remote code execution on the host system, with a high complexity for successful exploitation.

Remediation:

Apply Patches Promptly: Install the April 2025 security updates immediately to mitigate risks.

General Recommendations:

Prioritize Zero-Day & Critical Vulnerabilities: Focus on patching actively exploited vulnerabilities, especially those affecting Windows CLFS, RDS, LDAP, Excel, and SharePoint-related CVEs.
Secure File System Access: Implement security controls to prevent unauthorized access to NTFS and FAT file systems, particularly against USB-based attack vectors.
Educate Employees: Train users in phishing risks to reduce the chances of executing malicious Microsoft Access files.
Monitor for Exploitation: Continuously monitor systems for any signs of exploitation or suspicious activity.

“Microsoft highly recommends that organizations prioritize applying security updates for elevation of privilege vulnerabilities to add a layer of defense against ransomware attacks if threat actors are able to gain an initial foothold,” the company said in a blog post.

Conclusion:

The April 2025 Patch Tuesday release underscores the critical need for timely patching of Microsoft systems to protect against actively exploited vulnerabilities, including a zero-day privilege escalation flaw.

Microsoft has addressed multiple high-severity vulnerabilities, many of which could result in remote code execution, unauthorized system access, or privilege escalation.

IT teams and users are urged to promptly install the security updates and implement recommended security controls to mitigate these risks. As these vulnerabilities are actively exploited, immediate action is crucial to safeguarding systems from potential compromise.

References:

https://msrc.microsoft.com/update-guide/releaseNote/2025-Apr

Spoofing Vulnerability in WhatsApp Desktop for Windows

Summary

Be careful when you open that file in whatapp, it might have that spoofing flaw allowing Arbitrary Code Execution (CVE-2025-30401) and affects all versions of WhatsApp Desktop for Windows prior to 2.2450.6, and stems from a bug .

Overview

The vulnerability has been fixed in version 2.2450.6. WhatsApp has and will always be an attractive field for attackers and this particular bug does require user interaction – the victim has to manually open the malicious attachment for the payload to run.

Vulnerability Name	CVE ID	Product Affected	Severity	Fixed Version
Spoofing Vulnerability	CVE-2025-30401	WhatsApp Desktop for Windows	Medium	2.2450.6

Technical Summary

The vulnerability results from WhatsApp for Windows’s different handling of attachments. It opens files depending on their filename extension while displaying files based on their MIME type. This mismatch allows attackers to spoof file types and trick users into launching malicious executables.

Example Scenario:

An attacker sends a file named cat.jpg.exe with a MIME type of image/jpeg. WhatsApp displays the file as an image (because of the MIME type), misleading the user. If the user manually opens the attachment from within WhatsApp, Windows uses the .exe extension to execute the file — potentially launching malicious code.

This form of UI spoofing can be especially effective in group chats, where malicious attachments may be distributed widely and appear harmless.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-30401	WhatsApp Desktop for Windows (<2.2450.6)	MIME type used for display, but file extension used for execution. A mismatch between the two could allow a file to appear harmless (e.g., image), while actually being executable (e.g., .exe).	Remote Arbitrary code execution

Remediation:

Official Patch Available: The vulnerability has been resolved by Meta (formerly Facebook). Users should update WhatsApp for Windows to version 2.2450.6 or latest version.

Conclusion:

CVE-2025-30401 is a key example of how inconsistent file processing in the user interface can result in serious security threats. Attackers can create misleading payloads that can run arbitrary code by taking advantage of users’ faith in how apps display attachments.

Due to the possibility of remote exploitation, users should update to the latest WhatsApp version 2.2450.6 or later. Patching should be done right away to avoid any compromise.

Be careful when you click attachments.

References:

https://www.facebook.com/security/advisories/cve-2025-30401

https://cybersecuritynews.com/whatsapp-for-windows-vulnerability/

Decade-Old Threat: CVE-2018-8639 Still Poses Risks to Unpatched Windows Systems

CVE-2018-8639 is a privilege escalation flaw in the Win32k component of Microsoft Windows that lets attackers run any code in kernel mode. This vulnerability, which was first fixed by Microsoft in December 2018, still poses a risk to unpatched computers.

OEM	Microsoft
Severity	High
CVSS	7.8
CVEs	CVE-2018-8639
Exploited in Wild	Yes
Patch/Remediation Available	Yes
Advisory Version	1.0

Overview on Vulnerability

The vulnerability gives hackers the ability to install persistent malware, get around security measures, and alter system operations covertly. The Cybersecurity and Infrastructure Security Agency (CISA) has included this vulnerability in its Known Exploited Vulnerabilities (KEV) catalog, further highlighting its ongoing threat.

Vulnerability Name	CVE ID	Product Affected	Severity
Privilege Escalation Vulnerability	CVE-2018-8639	Windows	High

Technical Summary

The vulnerability exists within the Win32k.sys driver, which handles graphical user interface (GUI) interactions.

Designated as CWE-404: Improper Resource Shutdown or Release, the flaw enables authenticated local attackers to improperly release system resources, leading to privilege escalation. Exploiting this vulnerability grants kernel-mode execution rights, allowing attackers to bypass security mechanisms, install persistent malware, and manipulate system functions without detection.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2018-8639	Windows 7, 8.1, 10, RT 8.1, Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019	Improper Resource Shutdown or Release in Win32k.sys driver, enabling privilege escalation.	System compromise, unauthorized access, potential malware persistence

Remediation:

Organizations and individuals must apply Microsoft’s security updates released in December 2018 (KB4483235) to mitigate the risk.

Additionally, it is essential to apply all available updates from Windows to ensure comprehensive protection against known vulnerabilities.

General Recommendations:

Implement network segmentation to isolate critical assets and minimize the impact of potential security breaches.

Adopting the principle of least privilege (PoLP) to limit user access.

Continuous monitoring of anomalous kernel-mode activities.

Conclusion:

Unpatched Windows systems are particularly vulnerable, especially in industrial control systems (ICS) and healthcare facilities where obsolete software is ubiquitous. While Microsoft has fixed the issue, firms that rely on legacy systems must implement additional security measures. Cyber adversaries are always refining their exploitation techniques, making proactive security strategies critical to reducing risk.

References:

https://nvd.nist.gov/vuln/detail/cve-2018-8639

https://www.cisa.gov/news-events/alerts/2025/03/03/cisa-adds-five-known-exploited-vulnerabilities-catalog

https://github.com/ze0r/CVE-2018-8639-exp

Microsoft Updates Patch Tuesday for Feb 2025; Address 67 Vulnerabilities, Includes 2 Exploited Zero-Days

Summary

Microsoft’s February 2025 Patch Tuesday addresses multiple security vulnerabilities, including four zero-days, with two actively exploited in the wild. This update covers a total of 67 security flaws, with three classified as critical Remote Code Execution (RCE) vulnerabilities.

Microsoft issued a revision for an older zero-day that threatens the latest Windows desktop and server versions.

OEM	Microsoft
Severity	Critical
Date of Announcement	2025-02-11
No. of Vulnerabilities Patched	67
Actively Exploited	Yes
Exploited in Wild	Yes
Advisory Version	1.0

Overview

The affected products include Windows, Microsoft Office, Microsoft Surface, and various network services. Organizations are strongly advised to apply these patches immediately to mitigate security risks and potential cyberattacks.

63 Microsoft CVEs addressed

4 non-Microsoft CVEs included

The highlighted vulnerabilities include 4 zero-day flaws, 2 of which are currently being actively exploited.

Vulnerability Name	CVE ID	Product Affected	Severity	CVSS Score
Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability	CVE-2025-21418	Windows	High	7.8
Windows Storage Elevation of Privilege Vulnerability	CVE-2025-21391	Windows	High	7.1
Microsoft Surface Security Feature Bypass Vulnerability	CVE-2025-21194	Windows	High	7.1
NTLM Hash Disclosure Spoofing Vulnerability	CVE-2025-21377	Windows	Medium	6.5

Technical Summary

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-21418	Windows server and Windows 10 & 11	Windows ancillary function driver for winsock elevation of privilege vulnerability enables attackers to escalate privileges to SYSTEM level. Specific exploitation details are not disclosed.	Unauthorized access with SYSTEM privileges.
CVE-2025-21391	Windows server and Windows 10 & 11	Windows storage elevation of privilege vulnerability allows attackers to delete targeted files on a system, potentially leading to service unavailability. Does not expose confidential data.	Deletion of critical data, leading to service disruption.
CVE-2025-21194	Microsoft Surface	Microsoft surface security feature bypass vulnerability allows attackers to bypass UEFI protections, compromising the secure kernel. Likely related to “PixieFail” vulnerabilities affecting the IPv6 network stack in Tianocore’s EDK II firmware.	Bypass of security features, potentially compromising system integrity.
CVE-2025-21377	Windows server and Windows 10 & 11	NTLM hash disclosure spoofing vulnerability exposes NTLM hashes when a user interacts with a malicious file. Simply selecting or right-clicking a file could trigger a remote connection, allowing an attacker to capture NTLM hashes for cracking or pass-the-hash attacks.	Potential for attackers to authenticate as the user, leading to unauthorized access.

Source: Microsoft

In addition to the actively exploited vulnerabilities, several other critical flaws were also addressed:

CVE-2025-21376: A Windows Lightweight Directory Access Protocol (LDAP) RCE vulnerability that could allow attackers to execute arbitrary code remotely.

CVE-2025-21379: A DHCP Client Service RCE vulnerability that may enable remote attackers to execute code with elevated privileges.

CVE-2025-21381: An RCE vulnerability in Microsoft Excel that could be triggered through malicious spreadsheet files.

Remediation:

Apply Updates: Immediately install the February 2025 Patch Tuesday updates to address these vulnerabilities.

Conclusion:

The February 2025 Patch Tuesday release addresses critical security vulnerabilities, including actively exploited zero-days. Timely application of these updates is essential to protect systems from potential threats. Organizations should review the affected products and implement the necessary patches and mitigations to maintain security integrity.

The attack vector is local, meaning the attacker needs local access — physically or remotely, using SSH method without user interaction and if successful in exploiting, can give the attacker system privileges.

References:

https://msrc.microsoft.com/update-guide/releasenote/2025-Feb

https://cybersecuritynews.com/microsoft-patch-tuesday-february-2025/

Zero-Day Vulnerability in Windows (CVE-2024-49138): PoC Released, Exploited in the Wild

Summary

OEM	Microsoft
Severity	Critical
CVSS Score	7.8
CVE	CVE-2024-49138
Exploited in Wild	Yes
Patch/Remediation Available	Yes
Advisory Version	1.0
Publicly POC Available	Yes

Overview

The vulnerability CVE-2024-49138, affecting the Windows Common Log File System (CLFS) driver, enables attackers to gain SYSTEM privileges via a heap-based buffer overflow. Security researcher MrAle_98 published a proof-of-concept (PoC) exploit, increasing its potential misuse.

Vulnerability Name	CVE ID	Product Affected	Severity
CLFS Privilege Escalation	CVE-2024-49138	Microsoft Windows	High

Technical Summary

CVE-2024-49138 is a heap-based buffer overflow vulnerability in the Windows Common Log File System (CLFS) driver, allowing attackers to escalate privileges to SYSTEM level. It affects a wide range of Windows systems, including the latest versions, such as Windows 11 23H2. Initially discovered by CrowdStrike’s Advanced Research Team, Microsoft confirmed active exploitation prior to its December 2024 patch release. Security researcher MrAle_98 published a proof-of-concept exploit on GitHub, increasing the likelihood of threat actor replication and exploitation.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2024-49138	Windows 10, Windows 11, Windows Server 2008–2025	Heap buffer overflow in CLFS driver enabling SYSTEM access. Exploited in the wild and PoC publicly released.	Enables attackers to elevate their privileges to SYSTEM level, granting them complete control over an affected device.

Remediations

Update Systems: Apply Microsoft’s December 2024 patches without delay.
Monitor Systems: Be alert for unusual privilege escalations or indicators of compromise.
Limit Access: Implement robust access controls and harden systems.

Conclusion:

The public release of a proof-of-concept exploit heightens risks, making immediate patching essential. Organizations must prioritize updates, monitor for exploitation, and implement strict access controls.

References

https://securityonline.info/zero-day-vulnerability-in-windows-exploited-cve-2024-49138-poc-code-released/
https://github.com/MrAle98/CVE-2024-49138-POC?tab=readme-ov-file
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-49138
https://intruceptlabs.com/2024/12/microsoft-december-2024-patch-tuesday-critical-fixes-for-zero-day-and-remote-code-execution/

Critical Security Updates: Microsoft Jan 2025 Patch Tuesday Fixes 8 Zero-Days & 159 Vulnerabilities

Summary

Microsoft has released its January 2025 Patch Tuesday updates, delivering critical fixes. Key products impacted include Windows Telephony Service, Windows Digital Media, and MSMQ, among others.

Key take away:

Microsoft addressed 159 vulnerabilities across multiple products, including eight zero-day flaws, with three actively exploited in the January 2025 Patch Tuesday updates.
Key vulnerabilities include privilege escalation flaws in Hyper-V and remote code execution bugs in Microsoft Excel.
This marks highest number of fixes in a single month since at least 2017.

OEM	Microsoft
Severity	Critical
Date of Announcement	2025-01-14
No. of Vulnerabilities Patched	159
Actively Exploited	yes
Exploited in Wild	Yes
Advisory Version	1.0

Overview

Critical updates were issued for Windows Hyper-V, Windows Themes, Microsoft Access, and Windows App Package Installer. The vulnerabilities include elevation of privilege, remote code execution, and spoofing attacks, impacting various systems. The patch targets a range of critical issues across Microsoft products, categorized as follows:

58 Remote Code Execution (RCE) Vulnerabilities

40 Elevation of Privilege (EoP) Vulnerabilities

22 Information Disclosure Vulnerabilities

20 Denial of Service (DoS) Vulnerabilities

14 Security Feature Bypass

5 Spoofing Vulnerabilities

The highlighted vulnerabilities include 8 zero-day flaws, 3 of which are currently being actively exploited.

Vulnerability Name	CVE ID	Product Affected	Severity	CVSS Score
Elevation of privilege vulnerability	CVE-2025-21333, CVE-2025-21334, CVE-2025-21335	Windows	High	7.8
Elevation of Privilege Vulnerability	CVE-2025-21275	Windows	High	7.8
Remote Code Execution Vulnerability	CVE-2025-21186,CVE-2025-21366, CVE-2025-21395	Windows	High	7.8
Spoofing Vulnerability	CVE-2025-21308	Windows	Medium	6.5

Technical Summary

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-21333, CVE-2025-21334, CVE-2025-21335	Windows Hyper-V NT Kernel	No information has been released on how elevation of privilege vulnerabilities in Windows Hyper-V NT Kernel Integration VSP, which allow attackers to gain SYSTEM privileges, were exploited in attacks, as they were disclosed anonymously.	Allow attackers to gain SYSTEM privileges
CVE-2025-21275	Windows App Package Installer	Elevation of privilege vulnerability in the Windows App Package Installer, potentially leading to SYSTEM privileges.	Attackers could gain SYSTEM privileges
CVE-2025-21186,CVE-2025-21366, CVE-2025-21395	Microsoft Access	Remote code execution vulnerabilities in Microsoft Access, exploitable via specially crafted Access documents.	Remote Code Execution
CVE-2025-21308	Windows Themes	Spoofing vulnerability in Windows Themes; viewing a specially crafted theme file in Windows Explorer can lead to NTLM credential theft.	NTLM credential theft

Source: Microsoft

Additional Critical Patches Address High-Severity Vulnerabilities

Eight of this month’s patches address Virtual Secure Mode components, requiring administrators to follow Microsoft’s guidance for updating virtualization-based security (VBS) issues. (CVE-2025-21280, CVE-2025-21284, CVE-2025-21299, CVE-2025-21321, CVE-2025-21331, CVE-2025-21336, CVE-2025-21340, CVE-2025-21370).

Windows NTLM V1 Elevation of Privilege Vulnerability (CVE-2025-21311).

Windows OLE Remote Code Execution Vulnerability (CVE-2025-21298).

Remediation:

Apply Updates: Immediately install the January 2025 Patch Tuesday updates to address these vulnerabilities.

Disable NTLM: For CVE-2025-21308, consider disabling NTLM or enabling the “Restrict NTLM: Outgoing NTLM traffic to remote servers” policy to mitigate the risk.

Exercise Caution with Untrusted Files: Avoid opening or interacting with files from untrusted sources, especially those with extensions associated with Microsoft Access.

Conclusion:

The January 2025 Patch Tuesday release addresses critical vulnerabilities that could allow attackers to gain elevated privileges, execute arbitrary code, or steal credentials. Prompt application of these updates is essential to maintain system security. Additionally, implementing recommended mitigations, such as disabling NTLM, can provide further protection against potential exploits.

References:

https://msrc.microsoft.com/update-guide/releaseNote/2025-Jan

Critical Windows Privilege Escalation Vulnerability with Public Exploit

Cybersecurity researchers reported a critical Windows privilege escalation vulnerability, identified as CVE-2024-43641 affecting Microsoft Windows. This flaw, which affects various editions of Windows Server 2025, Windows 10, and Windows 11, has been assigned a CVSS v3.1 score of 7.8, indicating high severity.

Summary

OEM	Microsoft
Severity	High
CVSS	7.8
CVEs	CVE-2024-43641
Exploited in Wild	No
Patch/Remediation Available	Yes
Advisory Version	1.0

Overview

A significant Windows Registry Elevation of Privilege vulnerability, identified as CVE-2024-43641, affects multiple editions of Windows. A recently released Proof-of-Concept (PoC) exploit demonstrates how attackers can exploit this flaw to gain elevated privileges.

Vulnerability Name	CVE ID	Product Affected	Severity
Windows Registry Elevation of Privilege Vulnerability	CVE-2024-43641	Windows	High

Technical Summary

The vulnerability, CVE-2024-43641, exploits a design flaw in Windows registry hive memory management, specifically during a double-fetch process under memory pressure. This flaw allows malicious SMB servers to respond with differing data for consecutive read requests, breaking kernel assumptions and enabling privilege escalation to SYSTEM level. Key technical details are as follows:

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2024-43641	Windows 10, Windows 11, Windows Server 2008–2025	The vulnerability involves improper handling of registry hive memory management under memory pressure. A malicious SMB server can respond with differing data to consecutive read requests, breaking kernel assumptions. Exploitation leverages a “False File Immutability” (FFI) condition.	Allows attackers to escalate privileges, execute arbitrary code, and compromise system integrity.

Remediation:

Apply Patches: Users and system administrators are strongly advised to promptly apply the latest security updates.

Monitor Activity:

Monitor logs for suspicious activity related to registry operations.

The cybersecurity community is actively monitoring the situation for any indications of active exploitation in the wild.

Conclusion:

CVE-2024-43641 is a high-severity vulnerability with a publicly available PoC exploit. It is crucial to apply security patches immediately and follow best practices to mitigate the risk of exploitation. Organizations must stay alert and monitor ongoing developments to ensure complete protection against this emerging threat.

References: