The Information Security Authority (ISA) under the Ministry of Information and Communications has issued a caution regarding 23 recently detected high- and critical-risk security vulnerabilities in Microsoft applications. These weaknesses present substantial threats to information infrastructures throughout Vietnam.
On January 14, Microsoft published its monthly security updates for January 2025, addressing 161 vulnerabilities, which include 159 within its own applications and two in third-party applications impacting Microsoft systems.
Among the reported vulnerabilities, 23 are especially alarming due to their severe implications. The National Cyber Security Center (NCSC), a division of the ISA, has evaluated these weaknesses and has urged organizations across the country to rectify them without delay.
Significant vulnerabilities
The list of vulnerabilities encompasses five that enable privilege escalation attacks, such as:
CVE-2025-21275 in Windows App Package Installer.
CVE-2025-21311 in Windows NTLM V1.
Three vulnerabilities (CVE-2025-21333, CVE-2025-21334, CVE-2025-21335) in Windows Hyper-V NT Kernel Integration VSP, which are currently being targeted by cybercriminals.
Another crucial vulnerability, CVE-2025-21308 in Windows Themes, facilitates spoofing attacks. Detailed data about this flaw has already been publicly disclosed, increasing the potential for exploitation.
Seventeen of the vulnerabilities allow remote code execution (RCE), representing a significant risk for systems, including:
CVE-2025-21298 in Windows OLE.
CVE-2025-21297 and CVE-2025-21309 in Windows Remote Desktop Services.
CVE-2025-21186, CVE-2025-21366, and CVE-2025-21395 in Microsoft Access.
CVE-2025-21354 and CVE-2025-21362 in Microsoft Excel.
CVE-2025-21402 in Microsoft Office OneNote.
CVE-2025-21365 in Microsoft Office.
CVE-2025-21345 and CVE-2025-21356 in Microsoft Office Visio.
CVE-2025-21363 in Microsoft Word.
CVE-2025-21357 and CVE-2025-21361 in Microsoft Outlook.
CVE-2025-21344 and CVE-2025-21348 in SharePoint Server.
Advice and measures
The ISA has reiterated that these vulnerabilities could be exploited by malicious users to execute unauthorized activities, compromising the integrity of information systems within organizations, enterprises, and government bodies.
To alleviate these threats, organizations in Vietnam should:
Identify systems utilizing Windows operating systems that may be susceptible to these vulnerabilities.
Implement Microsoft’s security updates as the most efficient remedy.
Heighten surveillance for indications of exploitation or cyber intrusions.
Stay informed about alerts from cybersecurity organizations and credible entities to recognize emerging risks.
For support, organizations can reach the NCSC via its hotline at 02432091616 or through email at ncsc@ais.gov.vn.
The ISA persists in urging vigilance and proactive actions to protect Vietnam’s information systems from potential cyber dangers.
Van Anh