External risk intelligence

Windows Hyper-V Elevation of Privilege Vulnerability.

CVE advisoryKnown Exploit

CVE-2025-21335

A vulnerability in Windows Hyper-V allows a local attacker to escalate privileges, potentially impacting system integrity and data confidentiality. Organizations using affected Windows versions should apply vendor-provided updates to mitigate this risk.

1Halo Surface Signal

Use After Free

Microsoft Windows 10 21h2

before 10.0.19044.5371before 10.0.19045.5371before 10.0.22621.4751before 10.0.22631.4751before 10.0.26100.2894before 10.0.25398.1369

External exposure likelihood

Halo Surface Signal score for CVE-2025-21335

This vulnerability resides within the Windows Hyper-V NT Kernel Integration VSP. It is a local-only elevation of privilege vulnerability that requires an attacker to already have authenticated access to the local system to execute, making it physically or logically isolated from direct public internet exposure.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

The Windows Hyper-V NT Kernel Integration VSP has a vulnerability that could allow an attacker with local access to escalate privileges. This flaw exists within the core functionality of the operating system's virtualization components. The potential impact includes unauthorized access to sensitive data and disruption of critical services.

  • Vulnerable Hyper-V component
  • Flaw allows privilege escalation
  • Compromised data and system integrity

Attack Path

How an attacker could exploit the issue

This vulnerability in Windows Hyper-V allows an attacker with local access to gain elevated privileges. The attack involves exploiting a use-after-free flaw within the NT Kernel Integration VSP. Successful exploitation could lead to an attacker gaining SYSTEM-level control over the affected system.

  • Local access required for exposure.
  • Attacker triggers vulnerability.
  • Attacker gains SYSTEM control.

Live Threat

Current exploitation, exposure, and threat context

A vulnerability in Windows Hyper-V affects local privilege escalation. This could allow an authenticated user with limited access to gain higher-level system control. The impact involves potential unauthorized access to sensitive data and system compromise within the affected organization. Given the potential for significant system access, this vulnerability warrants attention.

  • Likely attacker skill level: Moderate.
  • Required access or conditions: Local system access.
  • Business risk or urgency: High impact.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

A vulnerability has been identified in Windows Hyper-V NT Kernel Integration VSP that could allow an attacker with local access to elevate their privileges. Organizations should prioritize understanding which systems are impacted and take steps to limit potential exposure. Applying vendor-provided fixes and verifying their successful implementation are crucial next steps, followed by ongoing monitoring for related security events.

  • Identify exposed Hyper-V assets.
  • Limit access to affected systems.
  • Apply vendor updates and verify.
  • Monitor for related activity.

Frequently asked questions

What is the Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability?

This vulnerability is an elevation of privilege flaw within the Windows Hyper-V NT Kernel Integration VSP. It allows a local attacker who already has authenticated access to gain higher-level SYSTEM privileges on the affected system.

What weakness class does CVE-2025-21335 represent?

CVE-2025-21335 represents a use-after-free vulnerability, categorized under CWE-416. This means a program attempts to access memory that has already been deallocated, potentially leading to instability or exploitation.

How can an attacker exploit CVE-2025-21335?

An attacker with local system access can trigger this vulnerability. The exploit targets the NT Kernel Integration VSP within Windows Hyper-V, ultimately allowing the attacker to gain SYSTEM-level control over the compromised machine.

What is the relevance of CVE-2025-21335 given Halo Surface Signal?

Halo classifies this CVE as 'Very unlikely' to be exposed externally. While it's a local privilege escalation vulnerability, it requires an attacker to have already gained access to the local system, making it isolated from direct internet exposure.

What steps should be taken to address this Hyper-V vulnerability?

Organizations should identify affected Hyper-V systems, restrict access to them, and promptly apply vendor-provided security updates. Verifying the successful implementation of these fixes and maintaining continuous monitoring for related security events are essential next steps.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified