🟢 CVE-2025-21333

CVE-2025-21333 is a local privilege escalation vulnerability in Windows Hyper-V NT Kernel Integration VSP affecting multiple Windows versions. Despite being in CISA KEV, it requires local access and is not directly exploitable from the internet against public-facing applications.

← Back to Overview
LOW_RISK
Risk Level
7.8
CVSS Score
LOCAL
Attack Vector
Privilege Escalation
ATT&CK Tactic
T1068 — Exploitation for Privilege Escalation
ATT&CK Technique
VERY_LOW
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: OTHER

CVE Published: 2025-01-14

Added to CISA KEV: 2025-01-14 0 DAY BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2025-21333 is a high-severity privilege escalation vulnerability affecting the Windows Hyper-V NT Kernel Integration Virtual Service Provider (VSP) [1] [4].

Key Details
FeatureDescription
Vulnerability TypeHeap-based buffer overflow [1]
ImpactElevation of privilege to `SYSTEM` level on the host [1]
ExploitationLocal; requires the attacker to already have access to the system [1]
Active ExploitationYes; included in CISA’s Known Exploited Vulnerabilities (KEV) Catalog [2] [3]
Patch StatusPatched by Microsoft in early 2025 [4]
Exploitation and Impact
  • Attack Method: The vulnerability stems from poor memory handling within the Hyper-V NT Kernel Integration VSP [1]. By triggering a heap-based buffer overflow, a local attacker can escalate their privileges to `SYSTEM` on the host machine [1].
  • Requirements: This is a local privilege escalation (LPE) vulnerability. It does not provide initial network access; rather, it is typically used by an attacker who has already gained a foothold on the system to elevate their permissions and gain full control [1].
  • Threat Actor Usage: The vulnerability has been observed being exploited in the wild by threat actors [3]. Due to its inclusion in the CISA KEV catalog, it is considered a significant risk to organizations [2].
  • Proof-of-Concept (PoC): Proof-of-concept exploit code has been made publicly available (e.g., on GitHub), which has been tested on versions such as Windows 11 23H2 [3].
Mitigation
Microsoft released security updates to address this vulnerability in early 2025 [4]. Organizations are strongly advised to ensure all affected Windows systems are fully patched according to Microsoft's security guidance [2].

Sources

  1. CVE-2025-21333: Windows Hyper-V Privilege Escalation

    CVE-2025-21333 enables NT kernel privilege escalation via Hyper-V Integration VSP, allowing attackers to gain elevated access on Windows systems. ... Patch Availability: Yes, available CVE-2025-21333 - Security Update Guide - Microsoft - Windows Hyper-V NT Kernel Integration VSP Elevation of Privile…

  2. CVE-2025-21333 Detail - NVD

    This CVE is in CISA's Known Exploited Vulnerabilities Catalog. Reference CISA's BOD 22-01 and Known Exploited Vulnerabilities Catalog for further guidance and ... Microsoft Corporation. Patch Vendor Advisory. https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-21333.Refer…

  3. MrAle98/CVE-2025-21333-POC - GitHub

    The vulnerability was detected as actively exploited by threat actors. Tested on Windows 11 23h2. It may work also on Windows 11 24h2 but I didn't test it.

  4. CVE-2025-21333 - Unpacking the Windows Hyper-V NT Kernel Integration ...

    In early 2025, Microsoft patched a high-impact vulnerability in Windows Hyper-V, tracked as CVE-2025-21333. This bug, affecting the NT Kernel Integration Virtual Service Provider (VSP), allowed attackers to escalate privileges and take fuller control inside virtualized environments. ... In early 202…

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed