Threat actors are currently leveraging CVE-2025-21333, a critical vulnerability found within Microsoft’s Windows Hyper-V NT Kernel Integration Virtual Service Provider (VSP). This heap-based buffer overflow vulnerability enables local attackers to escalate their privileges to the SYSTEM level, creating a considerable security risk. With a CVSS score of 7.8, this vulnerability is classified as “Important” and has already been observed in active exploitation scenarios.
The vulnerability is located in the vkrnlintvsp.sys driver, which plays a crucial role in facilitating communication between the host operating system and container-like virtual machines, such as Windows Sandbox and Microsoft Defender Application Guard. Unlike traditional Hyper-V environments, these containerized VMs operate in a manner that simulates running directly on the host OS, thereby introducing unique attack vectors.
Exploitation Technique
A Proof of Concept (PoC) published on GitHub demonstrates how to exploit this vulnerability by utilizing a heap-based buffer overflow within the I/O ring mechanism. The technique involves several key steps:
- I/O Ring Buffer Manipulation: The exploit targets an array of pointers to IOPMCBUFFERENTRY objects allocated in the paged pool with the IrRB pool tag. By overwriting one of these pointers with a malicious user-space address, attackers can gain arbitrary read/write capabilities in kernel memory.
- Arbitrary Read/Write: Functions such as BuildIoRingWriteFile() and BuildIoRingReadFile() are employed by the attacker to manipulate kernel memory and execute arbitrary code.
- Privilege Escalation: The malicious entry crafted in the I/O ring buffer points to a process object, allowing for SYSTEM-level privilege escalation.
This exploitation method diverges from traditional techniques, as it does not depend on leaking kernel addresses through NtQuerySystemInformation or manipulating PreviousMode. Instead, it relies on precise heap spraying and controlled object reallocation to ensure reliable exploitation.
The PoC has been attributed to a group of anonymous researchers and security experts, including @yarden_shafir, @cbayet, @paulfariello, @alexjplasket, and @InfosecIITR.
Affected Systems
The vulnerability primarily impacts the following systems:
- Windows 11 Version 23H2 (tested)
- Potentially Windows 11 Version 24H2 (untested)
- Other versions utilizing vulnerable vkrnlintvsp.sys drivers.
Hashes of tested binaries include:
- ntoskrnl.exe: SHA256 – 999C51D12CDF17A57054068D909E88E1587A9A715F15E0DE9E32F4AA4875C473
- vkrnlintvsp.sys: SHA256 – 28948C65EF108AA5B43E3D10EE7EA7602AEBA0245305796A84B4F9DBDEDDDF77
While the PoC illustrates SYSTEM privilege escalation, it does come with certain limitations:
- It requires enabling Windows Sandbox for syscall handling by the vulnerable driver.
- The overflow length is not fully controllable; excessive overflows may lead to system crashes.
- Race conditions during object reallocation can result in inconsistent behavior.
Mitigation strategies include:
- Update Systems: Apply security updates for all affected Windows versions.
- Enable Protections: Utilize features such as Hyper-V isolation to enhance security.
- Monitor for Exploitation: Employ endpoint detection tools to watch for signs of active exploitation.
Successful exploitation of this vulnerability can severely compromise confidentiality, integrity, and availability by granting SYSTEM privileges. Microsoft has addressed this vulnerability in its January 2025 Patch Tuesday updates, and users are strongly encouraged to apply these patches without delay.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free
