CVE-2025-21220
Published: 14 January 2025
Summary
CVE-2025-21220 is a high-severity Use of Uninitialized Resource (CWE-908) vulnerability in Microsoft Windows 10 1507. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the uninitialized resource vulnerability in MSMQ through timely application of vendor patches, preventing remote information disclosure.
Prohibits or restricts non-essential MSMQ functionality or ports, eliminating exposure to the unauthenticated network-accessible vulnerability.
Monitors and controls network communications to MSMQ interfaces, reducing opportunities for remote unauthenticated attackers to trigger the information disclosure.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated network exploit of MSMQ service directly enables T1190 for information disclosure.
NVD Description
Microsoft Message Queuing Information Disclosure Vulnerability
Deeper analysisAI
CVE-2025-21220 is an information disclosure vulnerability in Microsoft Message Queuing (MSMQ), published on 2025-01-14. It stems from CWE-908 (use of uninitialized resource) and has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with network accessibility, low complexity, and no requirements for privileges or user interaction.
A remote, unauthenticated attacker can exploit this vulnerability over the network to disclose sensitive information from the affected MSMQ component. The attack requires no special privileges or user involvement, allowing an adversary to obtain high-impact confidential data without affecting integrity or availability.
For mitigation details, refer to the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21220.
Details
- CWE(s)