overview
Microsoft’s latest report from Patch Tuesday highlighted fixes for a significant number of vulnerabilities, two of which are new zero-day vulnerabilities: CVE-2025-21194 and CVE-2025-21377.
CVE-2025-21194 is a security feature bypass vulnerability affecting Microsoft Surface devices. This vulnerability has been assigned a CVSS v3.1 base score of 7.1. Microsoft says that this flaw is a hypervisor vulnerability that allows attacks to bypass UEFI and compromise the secure kernel. Exploiting this vulnerability requires an attacker to gain access to the same network as the target device and to convince the user to reboot their device. Due to the high complexity and multiple conditions needed for successful exploitation, Microsoft has assessed the exploitability of this vulnerability as "Less Likely."
CVE-2025-21377 is a New Technology LAN Manager (NTLM) Hash Disclosure Spoofing Vulnerability that was publicly disclosed prior to the release of a patch. This vulnerability allows an attacker to obtain a user's NTLMv2 hash, which could then be used to authenticate as that user. Exploitation requires minimal user interaction, such as selecting, inspecting, or performing an action other than opening or executing a malicious file. Microsoft has assessed this vulnerability as "Exploitation More Likely."
how avertium is protecting our customers
IOCs ADDED TO OUR THREAT FEEDS
At this time, there are no known IoCs associated with successful exploitation of these CVEs. Avertium remains vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive.
TTPs TO MONITOR
CVE-2025-21194: Microsoft Surface Security Feature Bypass
This vulnerability affects Microsoft Surface devices and allows attackers to bypass security features, potentially leading to unauthorized system access.
|
Tactic
|
Technique
|
Description
|
|
Initial Access
|
T1190 - Exploit Public-Facing Application
|
If an attacker finds an exposed vulnerable Surface device, they may exploit the vulnerability remotely.
|
|
Persistence
|
T1547.001 - Registry Run Keys / Startup Folder
|
Attackers may leverage bypassed security controls to establish persistence on the device.
|
|
Defense Evasion
|
T1211 - Exploitation for Defense Evasion
|
Since this is a security feature bypass, it may allow an attacker to disable system protections.
|
|
Privilege Escalation
|
T1068 - Exploitation for Privilege Escalation
|
If exploited successfully, attackers could use this vulnerability to gain higher privileges.
|
|
Impact
|
T1499.004 - Endpoint Denial of Service
|
Attackers may use the exploit to cause system instability or prevent Surface devices from booting properly.
|
CVE-2025-21377: NTLM Hash Disclosure Spoofing Vulnerability
This vulnerability allows an attacker to trick a victim into leaking NTLMv2 hashes, which can then be used for authentication relay attacks.
|
Tactic
|
Technique
|
Description
|
|
Initial Access
|
T1566.002 - Spearphishing Link
|
Attackers may send malicious links or files that trigger NTLM hash disclosure.
|
|
Credential Access
|
T1187 - Forced Authentication
|
The vulnerability forces NTLM authentication, leaking hashes that can be relayed or cracked.
|
|
Credential Access
|
T1110.003 - Password Spraying
|
Attackers may attempt to reuse stolen NTLM hashes to authenticate against different systems.
|
|
Lateral Movement
|
T1550.002 - Use Alternate Authentication Material
|
Stolen NTLM hashes can be used to authenticate to other networked systems.
|
|
Lateral Movement
|
T1021.002 - SMB/Windows Admin Shares
|
Attackers may use NTLM hashes to access remote SMB shares.
|
|
Defense Evasion
|
T1070.004 - File Deletion
|
Attackers may delete forensic logs after obtaining NTLM hashes to avoid detection.
|
additional recommendations + information
- Apply Security Patches: Microsoft has released updates for both vulnerabilities—ensure they are applied immediately.
- Disable NTLM Authentication: If possible, enforce Kerberos-only authentication to prevent NTLM relay attacks.
- Enable SMB Signing: This prevents attackers from relaying captured NTLM hashes to SMB shares.
ADDITIONAL SERVICE OFFERINGS
- Fusion MXDR is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts.
- Security Information and Event Management (SIEM) - Minimizing the impact of a successful ransomware or malware attack requires detecting it as early in the attack as possible. A Security Information and Event Management (SIEM) system can help an organization to accomplish this. Avertium offers a comprehensive SIEM-based approach that increases the potential for detecting a ransomware infection before it deploys. SIEM provides a holistic overview of a company’s IT environment from a single point of view in terms of its specific security events, empowering teams to detect and analyze unusual behavior.
- Avertium aligns your Cybersecurity Strategy with your business strategy, ensuring that your investment in security is also an investment in your business. Our Cybersecurity Strategy service includes:
- Strategic Security Assessments - Strengthening your security posture begins with knowing where your current program stands (NIST CSF, Security Architecture, Business Impact Analysis, Sensitive Data Inventory, Network Virtualization and Cloud Assessment).
- Threat Mapping – Leverage Avertium’s Cyber Threat Intelligence, getting a more informed view of your most likely attack scenarios (Threat Assessment and MITRE ATT&CK).
- Cyber Maturity Roadmap - Embrace a comprehensive, quantifiable, and well-organized approach to establishing and continuously enhancing your cybersecurity resilience (Policy + Procedure Development, Virtual CISO (VCISO), Training + Enablement, Tabletop Exercises, and Business Continuity + Disaster Recovery Plan).
SUPPORTING DOCUMENTATION
