POC for Windows Hyper-V system privileges released

Security researchers have publicly disclosed a Proof-of-Concept (POC) for CVE 2025-21333, a critical susceptibility to the privileged susceptibility to Microsoft's hyper-V virtualization framework.

The susceptibility to security lies in the driver of VKRNINTVSP.SYS and enables local attackers to obtain privileges through a sophisticated HEAP manipulation technology system.

Microsoft rated this error as important (7.8 CVSSV3) in January 2025.

Security overview

According to a Github report, the susceptibility to security on a HEAP-based overflow overflow (CWE-122) in the NT-Kernel & System component of the virtualization service provider of Hyper-V.

Attackers can take advantage of this error by creating malicious E/A request package (IRP) that overwrite critical memory structures in the storage structures overwriting by Windows Paced Pool. Successful exploitation allowed:

• Arbitrary reading/writing functions in the kernel storage
• Direct manipulation of process tokens
• Privilege calation from standard users to the system

The Exploit uses Windows-E/A-Rings, a high-performance E/A mechanism introduced in Windows 11 22H2.

By manipulating the _iop_mc_buffer_entry structures assigned with I/A rings, attackers can redirect kernel operations into user-controlled storage regions.

Mechanism of use

The POC shows a new technology with:

1. Pool care: Allocate/liberation from IRRB (E/A -Ringpuffer) Pool pieces
2. Controlled overflow: Triggering the susceptibility to overwriters of the neighboring pool assignments
3. Memory: Replace Legitime _IOP_MC_Buffer_entry pointers by attackers controlled addresses

Key code -nippet from the POC (simplified):

// Overwrite IOP_MC_BUFFER_ENTRY array pointer

BuildIoRingWriteFile(

    hIoRing,

    malicious_entry_ptr,  // User-space fake buffer entry

    target_process_token,

    sizeof(TOKEN),

    0,

    FILE_WRITE_FLAGS_NONE

);

This technology avoids earlier reductions by avoiding NTQuery system information for address leaks and maintaining complete control by E/A ring processes.

The attacker then changes the token privilege field of the structure of the system process in order to achieve a privilege.

Follow -up assessment

Microsoft confirmed the active exploitation in the wild before the patch release. The affected systems include:

• Windows 11 23H2 (confirmed)
• Windows 11 24H2 (suspected)
• All hyper-V-capable environments

Successful exploitation requires low -privileged access and specific configurations:

• Windows Sandbox function activated
• Working with 0x50-byte pool assignments
• Endangered versions of Vkrnlintvsp.sys (SHA256: 28948C65EF108AA5B43E3D10EE7602AEBA0245796A84B4F9DDDDF77)

Security practitioners should set the patching priorities due to the exploits:

• 100% reliability in controlled environments
• Lack of crash dumps in successful cases
• Ability to chain with other vulnerabilities

Problem bypasses for non -patching systems:

# Deactivate the driver in need of protection via PowerShell

Deactivate -Windows optional feature -online -feature name “Container -DisposableClienteclientvm” “

The Microsoft Security Response Center (MSRC) examines potential connections:

• Darkhydrus operations in Southeast Asia
• Last Azure VM -theft -theft campaigns
• Possible exploitation vectors in Windows Containers

Security teams should:

• Monitor for IRRB/NPAT pool
• Block of execution of binary files with well -known POC -Hashes
• Exam system -token modifications about EDR solutions

The CVE-2025-21333 POC shows significant progress in Windows Kernel usage techniques.

By combining e/A ring manipulations with precise pool care, attackers achieve reliable privilege escalation without conventional address leak methods.

This susceptibility to security underlines the critical need for storage practices in the development of kernel level and proactive patch management in corporate environments.

Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free