Cyber Resilience

CVE-2025-21206

High

Published: 11 February 2025

Published
11 February 2025
Modified
28 February 2025
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0065 46.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-21206 is a high-severity Uncontrolled Search Path Element (CWE-427) vulnerability in Microsoft Visual Studio 2022. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 46.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-21206 is an elevation of privilege vulnerability in the Visual Studio Installer component. It carries a CVSS 3.1 base score of 7.3 and is associated with CWE-427. The flaw allows an attacker to gain unauthorized higher-level access on an affected system when specific local conditions are met.

A local attacker with low privileges can exploit the issue when user interaction occurs, resulting in full compromise of confidentiality, integrity, and availability on the target host. The attack vector is local only and does not cross trust boundaries.

Microsoft has published guidance for the vulnerability in its security update guide. The EPSS score rose from a low baseline to a peak of 0.0166 on 2025-12-11 before receding to the current value of 0.0043, indicating a temporary increase in observed exploitation interest after disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Visual Studio Installer Elevation of Privilege Vulnerability

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1574.001 DLL Stealth
Adversaries may abuse dynamic-link library files (DLLs) in order to achieve persistence, escalate privileges, and evade defenses.
Why these techniques?

CWE-427 untrusted search path in VS Installer directly enables local DLL side-loading for privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-24998Same product: Microsoft Visual Studio 2017
CVE-2025-25003Same product: Microsoft Visual Studio 2019
CVE-2025-21178Same product: Microsoft Visual Studio 2017
CVE-2025-49739Same product: Microsoft Visual Studio 2017
CVE-2026-32172Same vendor: Microsoft
CVE-2022-28339Same vendor: Microsoft
CVE-2024-55543Same vendor: Microsoft
CVE-2025-57836Same vendor: Microsoft
CVE-2024-55540Same vendor: Microsoft
CVE-2025-21405Same product: Microsoft Visual Studio 2022

Affected Assets

microsoft
visual studio 2017
15.0 — 15.9.70
microsoft
visual studio 2019
16.0 — 16.11.44
microsoft
visual studio 2022
17.8 — 17.8.18 · 17.10 — 17.10.11 · 17.12 — 17.12.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the untrusted search path vulnerability in Visual Studio Installer by requiring timely application of vendor-provided patches.

prevent

Requires digital signatures and verification for software components, preventing the Visual Studio Installer from loading and executing malicious DLLs from untrusted search paths.

preventdetect

Deploys anti-malware mechanisms to scan for, prevent, and detect malicious code such as DLLs placed by local attackers in untrusted search paths exploited by this vulnerability.

References