CVE-2025-21194

High

Published: 11 February 2025

Published

11 February 2025

Modified

08 July 2025

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0019 40.9th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21194 is a high-severity Improper Input Validation (CWE-20) vulnerability in Microsoft Surface Hub 2S Firmware. Its CVSS base score is 7.1 (High).

Operationally, ranked at the 40.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and patching of the specific security feature bypass flaw in Microsoft Surface devices to prevent exploitation.

SI-10 Information Input Validation good match

prevent

Directly counters the improper input validation (CWE-20) root cause by enforcing input validation at system points to block malicious adjacent network inputs.

AC-19 Access Control for Mobile Devices partial match

prevent

Implements restrictions, monitoring, and protections for mobile devices like Surface to mitigate unauthorized access and security feature bypasses from adjacent networks.

MITRE ATT&CK Enterprise TechniquesAI

Insufficient information to map techniques.

Confidence: LOW · MITRE ATT&CK Enterprise v18.1

NVD Description

Microsoft Surface Security Feature Bypass Vulnerability

Deeper analysisAI

CVE-2025-21194 is a security feature bypass vulnerability affecting Microsoft Surface devices. Published on 2025-02-11, it carries a CVSS v3.1 base score of 7.1 (High), with vector AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H. The issue is linked to CWE-20 (Improper Input Validation) and lacks additional CWE details from NVD.

An attacker on an adjacent network can exploit this vulnerability with no privileges required but must overcome high attack complexity and rely on user interaction. Successful exploitation enables high-impact consequences, including unauthorized access to confidential data, modification of system integrity, and disruption of availability, effectively bypassing security features on the affected Microsoft Surface component.

For mitigation details, security practitioners should refer to the official Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21194.

Details

CWE(s): CWE-20 NVD-CWE-noinfo

Affected Products

microsoft

surface hub 2s firmware

all versions

microsoft

surface pro 8 for business 1983 firmware

all versions

microsoft

surface laptop go firmware

all versions

microsoft

surface laptop go 2 firmware

all versions

microsoft

surface hub 3 50 firmware

all versions

microsoft

surface pro 7\+ firmware

all versions

microsoft

surface laptop go 3 firmware

all versions

microsoft

surface go 3 firmware

all versions

microsoft

surface pro 9 with 5g 1997 firmware

all versions

microsoft

surface pro 9 with 5g 1996 firmware

all versions

+17 more product configuration(s) — see NVD for full list

CVEs Like This One

CVE-2026-20856Same vendor: Microsoft

CVE-2026-26106Same vendor: Microsoft

CVE-2026-27913Same vendor: Microsoft

CVE-2026-32168Same vendor: Microsoft

CVE-2026-21229Same vendor: Microsoft

CVE-2025-21370Same vendor: Microsoft

CVE-2026-26170Same vendor: Microsoft

CVE-2026-20951Same vendor: Microsoft

CVE-2026-20967Same vendor: Microsoft

CVE-2026-26143Same vendor: Microsoft

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21194
Vendor Advisory · secure@microsoft.com