Threat actors have actively exploited CVE-2025-21333, a critical vulnerability in Microsoft’s Windows Hyper-V NT Kernel Integration Virtual Service Provider (VSP).
This heap-based buffer overflow vulnerability allows local attackers to escalate their privileges to the SYSTEM level, posing a significant security risk. Rated with a CVSS score of 7.8, this vulnerability is classified as “Important” and has already seen exploitation in the wild.
The vulnerability resides in the vkrnlintvsp.sys driver, a key component of the Hyper-V NT Kernel Integration VSP.
.png
)
This driver facilitates communication between the host operating system and container-like virtual machines (e.g., Windows Sandbox and Microsoft Defender Application Guard).
Unlike traditional Hyper-V environments, these containerized VMs simulate running on the host OS, which introduces unique attack vectors.
Exploitation Technique
Proof of Concept (PoC) published in GitHub leverages a heap-based buffer overflow in the I/O ring mechanism. Specifically:
I/O Ring Buffer Manipulation: The exploit targets an array of pointers to _IOP_MC_BUFFER_ENTRY objects allocated in the paged pool with the IrRB pool tag. By overwriting one of these pointers with a malicious user-space address, attackers gain arbitrary read/write capabilities in kernel memory.
Arbitrary Read/Write: Using functions like BuildIoRingWriteFile() and BuildIoRingReadFile(), the attacker manipulates kernel memory to execute arbitrary code.
Privilege Escalation: The malicious entry in the I/O ring buffer is crafted to point to a process object, enabling SYSTEM-level privilege escalation.
Unlike traditional exploits, this technique does not rely on leaking kernel addresses via NtQuerySystemInformation or manipulating PreviousMode. Instead, it focuses on precise heap spraying and controlled reallocation of objects to achieve reliable exploitation.
The PoC was attributed to anonymous researchers and security experts, @yarden_shafir, @cbayet, @paulfariello, @alexjplasket and @InfosecIITR.
Affected Systems
The vulnerability primarily affects:
- Windows 11 Version 23H2 (tested)
- Potentially Windows 11 Version 24H2 (untested)
- Other versions use vulnerable vkrnlintvsp.sys drivers.
Hashes of tested binaries:
- ntoskrnl.exe: SHA256 – 999C51D12CDF17A57054068D909E88E1587A9A715F15E0DE9E32F4AA4875C473
- vkrnlintvsp.sys: SHA256 – 28948C65EF108AA5B43E3D10EE7EA7602AEBA0245305796A84B4F9DBDEDDDF77
While the PoC demonstrates SYSTEM privilege escalation, it has certain limitations:
- Requires enabling Windows Sandbox for syscall handling by the vulnerable driver.
- Overflow length is not fully controllable; excessive overflows may cause crashes.
- Race conditions during object reallocation can lead to inconsistent behavior.
Mitigation involves spraying more objects or looping through reallocation attempts to achieve the desired memory layout.
- Update Systems: Apply security updates for affected Windows versions.
- Enable Protections: Use features like Hyper-V isolation for enhanced security.
- Monitor for Exploitation: Watch for signs of active exploitation using endpoint detection tools.
Successful exploitation compromises confidentiality, integrity, and availability by granting SYSTEM privileges.
Microsoft addressed this vulnerability in its January 2025 Patch Tuesday updates. Users are strongly advised to apply these patches immediately.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
