CVE-2025-21206

High

Published: 11 February 2025

Published

11 February 2025

Modified

28 February 2025

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0043 62.9th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21206 is a high-severity Uncontrolled Search Path Element (CWE-427) vulnerability in Microsoft Visual Studio 2022. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 37.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the untrusted search path vulnerability in Visual Studio Installer by requiring timely application of vendor-provided patches.

CM-14 Signed Components good match

prevent

Requires digital signatures and verification for software components, preventing the Visual Studio Installer from loading and executing malicious DLLs from untrusted search paths.

SI-3 Malicious Code Protection partial match

preventdetect

Deploys anti-malware mechanisms to scan for, prevent, and detect malicious code such as DLLs placed by local attackers in untrusted search paths exploited by this vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1574.002 DLL Side-Loading Stealth

Adversaries may execute their own malicious payloads by side-loading DLLs.

attack.mitre.org →

Why these techniques?

CWE-427 untrusted search path in VS Installer directly enables local DLL side-loading for privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Visual Studio Installer Elevation of Privilege Vulnerability

Deeper analysisAI

CVE-2025-21206 is an Elevation of Privilege vulnerability in the Visual Studio Installer. Published on 2025-02-11T18:15:31.610, it carries a CVSS v3.1 base score of 7.3 (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H) and is linked to CWE-427 (Untrusted Search Path) as well as NVD-CWE-noinfo.

The vulnerability can be exploited by a local attacker possessing low privileges, requiring low attack complexity and user interaction. Successful exploitation enables privilege escalation, resulting in high impacts to confidentiality, integrity, and availability.

Microsoft provides details on the vulnerability, including mitigation and patch information, in their Security Update Guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21206.

Details

CWE(s): CWE-427 NVD-CWE-noinfo

Affected Products

microsoft

visual studio 2017

15.0 — 15.9.70

microsoft

visual studio 2019

16.0 — 16.11.44

microsoft

visual studio 2022

17.8 — 17.8.18 · 17.10 — 17.10.11 · 17.12 — 17.12.5

CVEs Like This One

CVE-2025-24998Same product: Microsoft Visual Studio 2017

CVE-2025-25003Same product: Microsoft Visual Studio 2019

CVE-2025-21178Same product: Microsoft Visual Studio 2017

CVE-2025-49739Same product: Microsoft Visual Studio 2017

CVE-2026-32172Same vendor: Microsoft

CVE-2025-57836Same vendor: Microsoft

CVE-2024-55540Same vendor: Microsoft

CVE-2024-55543Same vendor: Microsoft

CVE-2025-21405Same product: Microsoft Visual Studio 2022

CVE-2025-24039Same vendor: Microsoft

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21206
Patch, Vendor Advisory · secure@microsoft.com