CVE-2025-21224

High

Published: 14 January 2025

Published

14 January 2025

Modified

29 May 2025

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0050 66.2th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21224 is a high-severity Use After Free (CWE-416) vulnerability in Microsoft Windows 10 21H2. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 33.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SC-7 (Boundary Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

SI-2 mandates timely flaw remediation, directly addressing the Use After Free vulnerability in Windows LPD service via Microsoft patches.

CM-7 Least Functionality good match

prevent

CM-7 enforces least functionality by disabling the unnecessary LPD service, eliminating the remote code execution attack surface.

SC-7 Boundary Protection good match

prevent

SC-7 provides boundary protection to block inbound network traffic to LPD service port 515, preventing unauthenticated remote exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

Why these techniques?

Direct unauthenticated RCE in network-exposed Windows LPD service enables remote exploitation of public-facing apps and remote services for code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Windows Line Printer Daemon (LPD) Service Remote Code Execution Vulnerability

Deeper analysisAI

CVE-2025-21224 is a Remote Code Execution vulnerability in the Windows Line Printer Daemon (LPD) Service. Published on 2025-01-14, it carries a CVSS v3.1 base score of 8.1 (High) with vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H and is associated with CWEs-416 (Use After Free) and CWE-591.

Unauthenticated remote attackers can exploit this vulnerability over the network with high attack complexity and no user interaction. Successful exploitation enables arbitrary code execution, resulting in high impacts to confidentiality, integrity, and availability.

Microsoft's update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21224 provides details on patching. Vicarius offers a detection script at https://www.vicarius.io/vsociety/posts/cve-2025-21224-remote-code-execution-vulnerability-in-windows-line-printer-daemon-service-detection-script and a mitigation script at https://www.vicarius.io/vsociety/posts/cve-2025-21224-remote-code-execution-vulnerability-in-windows-line-printer-daemon-service-mitigation-script.

Details

CWE(s): CWE-416 CWE-591 NVD-CWE-noinfo

Affected Products

microsoft

windows 10 21h2

≤ 10.0.19044.5371

microsoft

windows 10 22h2

≤ 10.0.19045.5371

microsoft

windows 11 22h2

≤ 10.0.22621.4751

microsoft

windows 11 23h2

≤ 10.0.22631.4751

microsoft

windows 11 24h2

≤ 10.0.26100.2894

microsoft

windows server 2022

≤ 10.0.20348.3091

microsoft

windows server 2022 23h2

≤ 10.0.25398.1369

microsoft

windows server 2025

≤ 10.0.26100.2894

CVEs Like This One

CVE-2025-24035Same product: Microsoft Windows 10 21H2

CVE-2025-21335Same product: Microsoft Windows 10 21H2

CVE-2025-21334Same product: Microsoft Windows 10 21H2

CVE-2025-21367Same product: Microsoft Windows 10 21H2

CVE-2025-49724Same product: Microsoft Windows 10 21H2

CVE-2025-21406Same product: Microsoft Windows 10 21H2

CVE-2025-53144Same product: Microsoft Windows 10 21H2

CVE-2025-21296Same product: Microsoft Windows 10 21H2

CVE-2025-21295Same product: Microsoft Windows 10 21H2

CVE-2025-47981Same product: Microsoft Windows 10 21H2

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21224
Patch, Vendor Advisory · secure@microsoft.com
https://www.vicarius.io/vsociety/posts/cve-2025-21224-remote-code-execution-vulnerability-in-windows-line-printer-daemon-service-detection-script
af854a3a-2127-422b-91ae-364da2661108
https://www.vicarius.io/vsociety/posts/cve-2025-21224-remote-code-execution-vulnerability-in-windows-line-printer-daemon-service-mitigation-script
af854a3a-2127-422b-91ae-364da2661108