- I recommend this 2-in-1 laptop to both creatives and professionals - and it's on sale right now
- This new AI-enabled feature from LinkedIn will help you find your next job
- Simplify AI Development with the Model Context Protocol and Docker | Docker
- AI Defense: A Vision to Securely Harness AI
- Exposure Management: A Strategic Approach to Cyber Security Resource Constraint
Microsoft Patches Eight Zero-Days to Start the Year
Microsoft released security updates for eight zero-day flaws in its first Patch Tuesday of 2025, with three of the vulnerabilities under active exploitation.
Microsoft defines zero-day vulnerabilities as software flaws that have either been publicly disclosed or are being actively exploited, with no patch available.
The three zero-days it fixed that belong to the latter group are CVE-2025-21333, CVE-2025-21334 and CVE-2025-21335. They’re described as Windows Hyper-V NT Kernel Integration VSP elevation of privilege (EoP) bugs, with a CVSS score of 7.8.
Immersive Labs senior director of threat research, Kev Breen, warned sysadmins not to be fooled by the relatively low CVSS score, given that Hyper-V is “heavily embedded” in Windows 11 and used for a range of security tasks, including device guard and credential guard.
“Very little information is provided by Microsoft about how threat actors are exploiting this vulnerability. However, they are listed as EoP vulnerabilities – meaning that if an attacker has already gained access to a host through something like a phishing attack, then they could use these vulnerabilities to gain system-level permissions on the infected device,” he explained.
“With system-level permissions, threat actors can enable other attack vectors like disabling security tooling or dumping credentials with tools like mimikatz to pivot across enterprise domains. These techniques are frequently observed by both nation-state and financially motivated groups like ransomware operators.”
Read more on Patch Tuesday: Microsoft Fixes Four Zero-Days in July Patch Tuesday
The five publicly disclosed zero-days, which are currently not being exploited, are:
- CVE-2025-21275: A Windows App Package Installer EoP vulnerability
- CVE-2025-21308: A Windows Themes spoofing vulnerability
- CVE-2025-21186, CVE-2025-21366 and CVE-2025-21395: Remote code execution (RCE) vulnerabilities in Microsoft Access
Tyler Reguly, associate director, Security R&D, at Fortra, also flagged three critical CVEs in this month’s Patch Tuesday with CVSS scores of 9.8.
- CVE-2025-21311: A Windows NTLM V1 EoP vulnerability
- CVE-2025-21307: An unauthenticated RCE vulnerability in the Windows Reliable Multicast Transport Driver (RMCAST), when listening on a Pragmatic General Multicast (PGM) port
- CVE-2025-21298: An RCE vulnerability in Windows OLE
With over 150 CVEs addressed by Microsoft this month, patch management must be automated if organizations are to keep their heads above water, Reguly argued.
“Patching vulnerabilities should not be a solo endeavour in the enterprise and, if it is, it may be time to talk to your leadership about staffing and tooling changes,” he added.
