Cyber Resilience

CVE-2021-27085

HighCISA KEVActive ExploitationEUVD Exploited

Published: 11 March 2021

Published
11 March 2021
Modified
30 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L
EPSS Score 0.0184 83.4th percentile
Risk Priority 39 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-27085 is a high-severity an unspecified weakness vulnerability in Microsoft Internet Explorer. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 16.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).

Deeper analysis

CVE-2021-27085 is a remote code execution vulnerability affecting Internet Explorer. It received a CVSS 3.1 base score of 8.8 with the vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L and is tracked under NVD-CWE-noinfo.

An attacker can exploit the flaw over the network without authentication when a user interacts with specially crafted content, resulting in code execution that crosses security boundaries and produces limited confidentiality impact, high integrity impact, and limited availability impact.

Microsoft has published security guidance and updates addressing the issue through its MSRC advisory portal, while CISA has added CVE-2021-27085 to its catalog of known exploited vulnerabilities.

The vulnerability was publicly disclosed on 11 March 2021.

EU & UK References

Vulnerability details

Internet Explorer Remote Code Execution Vulnerability

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
internet explorer
11

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the vendor security updates that Microsoft released to eliminate the remote code execution flaw in Internet Explorer.

SC-18 Mobile Code partial match
prevent

Establishes usage restrictions and implementation guidance for mobile code (scripts, ActiveX, etc.) processed by Internet Explorer, limiting the attack surface exploited by crafted web content.

prevent

Enforces least functionality by disabling or restricting unnecessary browser components and features that enable the cross-boundary code execution described in the CVE.

References