CVE-2025-21224
Published: 14 January 2025
Summary
CVE-2025-21224 is a high-severity Use After Free (CWE-416) vulnerability in Microsoft Windows 10 21H2. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 27.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SC-7 (Boundary Protection).
Deeper analysis
The vulnerability CVE-2025-21224 affects the Windows Line Printer Daemon (LPD) Service and is classified as a remote code execution issue with associated weaknesses including use-after-free (CWE-416) and CWE-591. It carries a CVSS 3.1 score of 8.1 reflecting network attack vector, high complexity, no required privileges or user interaction, and full impact on confidentiality, integrity, and availability.
An unauthenticated remote attacker can target the LPD service over the network to execute arbitrary code, potentially leading to complete system compromise without any local access or user assistance, though successful exploitation requires overcoming the noted high attack complexity.
Microsoft's advisory at msrc.microsoft.com details the issue and available updates, while additional resources provide scripts for detection and mitigation of the affected LPD service on Windows systems.
The EPSS score shows a material rise from an initial low of 0.0068 to a peak of 0.0134, indicating that exploitation interest emerged after disclosure and that the CVE warrants renewed attention.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-2291
Vulnerability details
Windows Line Printer Daemon (LPD) Service Remote Code Execution Vulnerability
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated RCE in network-exposed Windows LPD service enables remote exploitation of public-facing apps and remote services for code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 mandates timely flaw remediation, directly addressing the Use After Free vulnerability in Windows LPD service via Microsoft patches.
CM-7 enforces least functionality by disabling the unnecessary LPD service, eliminating the remote code execution attack surface.
SC-7 provides boundary protection to block inbound network traffic to LPD service port 515, preventing unauthenticated remote exploitation.