CVE-2025-21335
📋 TL;DR
This vulnerability allows an authenticated attacker with guest VM access to execute arbitrary code with SYSTEM privileges on the Hyper-V host. It affects Windows systems running Hyper-V with the NT Kernel Integration VSP component. Attackers must already have access to a guest virtual machine to exploit this flaw.
💻 Affected Systems
- Windows Hyper-V
📦 What is this software?
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 23h2 by Microsoft
Windows 11 23h2 by Microsoft
Windows 11 24h2 by Microsoft
Windows 11 24h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete host compromise allowing attacker to execute arbitrary code with SYSTEM privileges, access all host resources, and potentially pivot to other systems in the environment.
Likely Case
Privilege escalation from guest VM user to host SYSTEM privileges, enabling lateral movement, data theft, and persistence establishment on the Hyper-V host.
If Mitigated
Limited impact due to network segmentation, strict access controls, and monitoring preventing successful exploitation even if vulnerability exists.
🎯 Exploit Status
Requires authenticated access to guest VM and knowledge of Hyper-V internals. No public exploit code available at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Microsoft Security Update Guide for specific KB numbers
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21335
Restart Required: Yes
Instructions:
1. Apply latest Windows security updates from Microsoft Update. 2. For Hyper-V hosts, install the specific KB patch mentioned in the advisory. 3. Restart affected Hyper-V hosts to complete installation.
🔧 Temporary Workarounds
Disable Hyper-V if not required
WindowsRemove Hyper-V role from systems where virtualization is not needed
Disable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-All
Restrict guest VM access
allImplement strict access controls and monitoring for guest VM users
🧯 If You Can't Patch
- Segment Hyper-V hosts on isolated network segments with strict firewall rules
- Implement enhanced monitoring for suspicious activity between guest VMs and Hyper-V hosts
🔍 How to Verify
Check if Vulnerable:
Check if Hyper-V is enabled and verify system has not applied the security patch. Use: Get-WindowsFeature -Name Hyper-VCheck Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify Windows Update history shows the specific KB patch installed and system has been restarted📡 Detection & Monitoring
Log Indicators:
- Unusual process creation from Hyper-V components
- Failed privilege escalation attempts in Windows Security logs
- Suspicious activity from guest VM to host communication
Network Indicators:
- Anomalous traffic patterns between guest VMs and Hyper-V management interfaces
SIEM Query:
EventID=4688 AND (ProcessName LIKE '%vsp%' OR CommandLine CONTAINS 'hyperv') AND NewProcessName='cmd.exe' OR 'powershell.exe'