Cyber Resilience

CVE-2025-21176

High

Published: 14 January 2025

Published
14 January 2025
Modified
06 May 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0194 83.8th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21176 is a high-severity Buffer Over-read (CWE-126) vulnerability in Microsoft .Net Framework. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious Link (T1204.001); ranked in the top 16.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2025-21176 is a remote code execution vulnerability affecting .NET, .NET Framework, and Visual Studio. It carries a CVSS 3.1 base score of 8.8 and is associated with CWE-126 along with an NVD-CWE-noinfo entry, indicating a high-severity flaw that can be triggered over a network connection.

An unauthenticated attacker can exploit the issue by convincing a user to interact with malicious content, such as opening a specially crafted file or visiting a hostile web page. Successful exploitation grants the attacker full confidentiality, integrity, and availability impact on the affected system without requiring prior authentication or elevated privileges.

Microsoft's security update guide for CVE-2025-21176 and related vendor advisories provide official remediation details and patch availability for supported versions of the affected components.

The associated EPSS score remains low at 0.0194 with no material increase from its peak value, indicating limited observed exploitation interest to date.

EU & UK References

Vulnerability details

.NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

RCE requires user interaction with malicious file or link, directly mapping to User Execution sub-techniques.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-21277Same product: Microsoft Windows 10 1507
CVE-2026-33116Same product: Apple Macos
CVE-2026-20846Same product: Microsoft Windows 10 1607
CVE-2025-21305Same product: Microsoft Windows 10 1507
CVE-2025-24993Same product: Microsoft Windows 10 1507
CVE-2025-21172Same product: Apple Macos
CVE-2026-26184Same product: Microsoft Windows 10 1809
CVE-2025-24985Same product: Microsoft Windows 10 1507
CVE-2025-21332Same product: Microsoft Windows 10 1507
CVE-2025-21180Same product: Microsoft Windows 10 1507

Affected Assets

microsoft
.net
8.0.0, 9.0.0
microsoft
visual studio 2017
15.0 — 15.9.69
microsoft
.net framework
3.5, 4.6, 4.6.2, 4.7, 4.7.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely patching of the buffer over-read vulnerability in .NET, .NET Framework, and Visual Studio directly prevents remote code execution exploitation.

preventdetect

Malicious code protection tools scan and block malicious files or links that trick users into triggering the RCE vulnerability.

prevent

Memory protection features like ASLR and DEP mitigate exploitation attempts leveraging the buffer over-read for code execution.

References