Microsoft issued updates to fix 81 vulnerabilities in this month’s Patch Tuesday yesterday, including two classed as zero-days which have been disclosed but not yet exploited.
The first is CVE-2024-21907, which relates to improper handling of exceptional conditions in Newtonsoft.Json – a part of SQL server. The bug was originally made public in January 2024, although it may have been flagged as far back as 2018, according to Adam Barnett, lead software engineer at Rapid7.
“What happens if you ask SQL Server to deserialize a JSON object with thousands of levels of nested objects? If you guessed denial of service, then you are good at guessing, because that’s what CVE-2024-21907 describes,” he explained.
“As zero-day vulnerabilities go, it doesn’t seem particularly terrifying, since presumably the worst an attacker can do is knock down a service, which can then be picked up again. Of course, that’s all relative, since some SQL Server instances are doing very important work: think hospitals, airports and other critical infrastructure.”
Read more on Patch Tuesday: Read more on Patch Tuesday: Microsoft Fixes Seven Zero-Days in May Patch Tuesday
The second zero-day is CVE-2025-55234, a Windows SMB elevation of privilege (EoP) vulnerability that can be exploited remotely.
“Microsoft says that an attacker with network access would be able to perform a replay attack against a target host, which could result in the attacker gaining additional privileges, which could lead to code execution,” explained Immersive senior director of threat research, Kev Breen.
“It is noted that the SMB Server already has the ability to harden against replay attacks by enabling features like SMB Server Signing and Extended Protection for Authentication. Before turning on these additional security features, organizations should check the potential impact, as enabling these features may adversely affect some third-party integrations or network configurations.”
Microsoft is also offering users audit capabilities to help them assess any compatibility issues before turning on the additional security features.
Exploitation More Likely
Breen flagged several other EoP vulnerabilities fixed this Patch Tuesday which are labelled “exploitation more likely” by Microsoft. These include:
- CVE-2025-54110, which impacts the Windows Kernel
- CVE-2025-54093 (Windows TCP/IP Driver)
- CVE-2025-54098 in the Windows Hyper-V system
“While local privilege escalation vulnerabilities don’t often get high CVSS scores, that doesn’t make them any less important. Once a threat actor gains initial code execution through a remote code execution (RCE) vulnerability, stolen credentials or a phishing attack, they will then try to escalate their permissions both locally on the host and, if possible, across the domain,” he explained.
“With system or administrator-level permissions, threat actors are able to disable security tooling and logging as well as deploy additional malware or tools in order to move laterally across the network.”
In total, there are 41 EoP vulnerabilities and 22 RCE flaws to fix, although only two of the former and five of the latter are rated critical.
Image credit: gguy / Shutterstock.com
