Cyber Posture

CVE-2025-21176

High

Published: 14 January 2025

Published
14 January 2025
Modified
06 May 2025
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0141 80.6th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21176 is a high-severity Buffer Over-read (CWE-126) vulnerability in Microsoft .Net Framework. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious Link (T1204.001); ranked in the top 19.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Malicious Link (T1204.001) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Timely patching of the buffer over-read vulnerability in .NET, .NET Framework, and Visual Studio directly prevents remote code execution exploitation.

SI-3 Malicious Code Protection partial match
preventdetect

Malicious code protection tools scan and block malicious files or links that trick users into triggering the RCE vulnerability.

SI-16 Memory Protection partial match
prevent

Memory protection features like ASLR and DEP mitigate exploitation attempts leveraging the buffer over-read for code execution.

MITRE ATT&CK Enterprise TechniquesAI

T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
attack.mitre.org →
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
attack.mitre.org →
Why these techniques?

RCE requires user interaction with malicious file or link, directly mapping to User Execution sub-techniques.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

.NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability

Deeper analysisAI

CVE-2025-21176 is a remote code execution vulnerability affecting .NET, .NET Framework, and Visual Studio. Published on January 14, 2025, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is associated with CWE-126 (Buffer Over-read), though additional CWE details are unavailable from NVD.

An unauthenticated attacker on the network can exploit this vulnerability with low complexity by tricking a user into performing an action, such as interacting with a malicious file or link. Successful exploitation enables remote code execution on the target system, resulting in high impacts to confidentiality, integrity, and availability.

For mitigation details, refer to the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21176 and the HeroDevs vulnerability directory at https://www.herodevs.com/vulnerability-directory/cve-2025-21176.

Details

CWE(s)
CWE-126NVD-CWE-noinfo

Affected Products

microsoft
.net
8.0.0, 9.0.0
microsoft
visual studio 2017
15.0 — 15.9.69
microsoft
.net framework
3.5, 4.6, 4.6.2, 4.7, 4.7.1

CVEs Like This One

CVE-2025-21277Same product: Microsoft Windows 10 1507
CVE-2026-33116Same product: Apple Macos
CVE-2026-20846Same product: Microsoft Windows 10 1607
CVE-2025-21305Same product: Microsoft Windows 10 1507
CVE-2025-24993Same product: Microsoft Windows 10 1507
CVE-2025-21172Same product: Apple Macos
CVE-2026-26184Same product: Microsoft Windows 10 1809
CVE-2025-24985Same product: Microsoft Windows 10 1507
CVE-2025-21180Same product: Microsoft Windows 10 1507
CVE-2025-21332Same product: Microsoft Windows 10 1507

References