CVE-2025-21187

High

Published: 14 January 2025

Published

14 January 2025

Modified

05 February 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0046 64.1th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21187 is a high-severity Code Injection (CWE-94) vulnerability in Microsoft Power Automate For Desktop. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked in the top 35.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Malicious File (T1204.002) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the specific RCE vulnerability in Power Automate by applying patches from the MSRC update guide.

SI-10 Information Input Validation good match

prevent

Enforces validation of inputs such as malicious files or workflows to prevent CWE-94 code injection exploitation.

SI-3 Malicious Code Protection partial match

preventdetect

Anti-malware scanning detects and blocks malicious files or payloads that trigger the user-interaction-based RCE.

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution

An adversary may rely upon a user opening a malicious file in order to gain execution.

attack.mitre.org →

T1059 Command and Scripting Interpreter Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

attack.mitre.org →

Why these techniques?

CVE enables arbitrary code execution via malicious file opened by user (T1204.002) and subsequent command/script interpreter abuse (T1059) due to code injection (CWE-94).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Microsoft Power Automate Remote Code Execution Vulnerability

Deeper analysisAI

CVE-2025-21187 is a Remote Code Execution vulnerability in Microsoft Power Automate, published on 2025-01-14T18:15:31.187. It carries a CVSS v3.1 base score of 7.8, with vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, and is associated with CWE-94 (code injection) and NVD-CWE-noinfo.

The vulnerability can be exploited by a local attacker with no required privileges, provided they can convince a user to perform some interaction, such as opening a malicious file or triggering a specific workflow. Successful exploitation enables arbitrary code execution in the context of the user, resulting in high impacts to confidentiality, integrity, and availability.

The Microsoft Security Response Center (MSRC) has published an update guide for this vulnerability at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21187, which provides details on mitigation and patching.

Details

CWE(s): CWE-94 NVD-CWE-noinfo

Affected Products

microsoft

power automate for desktop

2.46 — 2.46.184.25013 · 2.47 — 2.47.126.25010 · 2.48 — 2.48.164.25010

CVEs Like This One

CVE-2026-21537Same vendor: Microsoft

CVE-2026-26030Same vendor: Microsoft

CVE-2025-49704Same vendor: Microsoft

CVE-2025-21292Same vendor: Microsoft

CVE-2025-65037Same vendor: Microsoft

CVE-2025-21365Same vendor: Microsoft

CVE-2025-29807Same vendor: Microsoft

CVE-2025-24993Same vendor: Microsoft

CVE-2025-53131Same vendor: Microsoft

CVE-2025-65715Shared CWE-94

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21187
Vendor Advisory · secure@microsoft.com