The Information Security Authority (ISA) under the Ministry of Information and Communications has issued a warning about 23 newly identified high- and critical-risk security vulnerabilities in Microsoft products. These flaws pose significant risks to information systems across Vietnam.

On January 14, Microsoft released its monthly security updates for January 2025, addressing 161 vulnerabilities, including 159 in its own products and two in third-party products affecting Microsoft systems.

Among the vulnerabilities identified, 23 are of particular concern due to their severe impact. The National Cyber Security Center (NCSC), part of the ISA, has analyzed these vulnerabilities and urged organizations nationwide to address them immediately.

Key vulnerabilities

The vulnerabilities include five that allow privilege escalation attacks, such as:

CVE-2025-21275 in Windows App Package Installer.

CVE-2025-21311 in Windows NTLM V1.

Three vulnerabilities (CVE-2025-21333, CVE-2025-21334, CVE-2025-21335) in Windows Hyper-V NT Kernel Integration VSP, which are already being exploited by hackers.

Another significant vulnerability, CVE-2025-21308 in Windows Themes, enables spoofing attacks. The detailed information about this flaw has already been made public, heightening the risk of exploitation.

Seventeen of the vulnerabilities allow remote code execution (RCE), a critical risk for systems, including:

CVE-2025-21298 in Windows OLE.

CVE-2025-21297 and CVE-2025-21309 in Windows Remote Desktop Services.

CVE-2025-21186, CVE-2025-21366, and CVE-2025-21395 in Microsoft Access.

CVE-2025-21354 and CVE-2025-21362 in Microsoft Excel.

CVE-2025-21402 in Microsoft Office OneNote.

CVE-2025-21365 in Microsoft Office.

CVE-2025-21345 and CVE-2025-21356 in Microsoft Office Visio.

CVE-2025-21363 in Microsoft Word.

CVE-2025-21357 and CVE-2025-21361 in Microsoft Outlook.

CVE-2025-21344 and CVE-2025-21348 in SharePoint Server.

Recommendations and precautions

The ISA emphasized that these vulnerabilities could be exploited by malicious actors to perform unauthorized actions, compromising the security of information systems in organizations, businesses, and governmental entities.

To mitigate these risks, entities in Vietnam should:

Identify systems running Windows operating systems that may be affected by these vulnerabilities.

Apply Microsoft’s security patches as the most effective solution.

Increase monitoring for signs of exploitation or cyberattacks.

Stay updated on warnings from cybersecurity authorities and reputable organizations to detect emerging threats.

For assistance, organizations can contact the NCSC through its hotline at 02432091616 or via email at [email protected].

The ISA continues to urge vigilance and proactive measures to safeguard Vietnam's information systems against potential cyber threats.

Van Anh