CVE-2025-21222
Published: 08 April 2025
Summary
CVE-2025-21222 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 17.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2025-21222 is a heap-based buffer overflow vulnerability, tracked under CWE-122, that affects the Windows Telephony Service. The flaw received a CVSS v3.1 score of 8.8 and was publicly disclosed on 8 April 2025.
An unauthenticated remote attacker can trigger the overflow over a network by sending specially crafted input that requires user interaction, resulting in arbitrary code execution with high impact to confidentiality, integrity, and availability.
The sole reference points to the Microsoft Security Response Center advisory for CVE-2025-21222, which is the authoritative source for patch availability and mitigation guidance. The associated EPSS score has remained low, moving only from a peak of 0.0205 to a current value of 0.0174.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-10244
Vulnerability details
Heap-based buffer overflow in Windows Telephony Service allows an unauthorized attacker to execute code over a network.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.