CVE-2025-21279
Published: 06 February 2025
Summary
CVE-2025-21279 is a medium-severity Type Confusion (CWE-843) vulnerability in Microsoft Edge Chromium. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked in the top 23.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
Microsoft Edge (Chromium-based) contains a remote code execution vulnerability tracked as CVE-2025-21279. The flaw is associated with CWE-843 and carries a CVSS 3.1 base score of 6.5, reflecting a network-attack vector that requires low complexity, no privileges, and only user interaction to trigger high-impact confidentiality loss while leaving integrity and availability unaffected.
An unauthenticated remote attacker can exploit the issue by convincing a user to visit a specially crafted web page or resource in Microsoft Edge. Successful exploitation allows the attacker to execute arbitrary code in the context of the current user, primarily resulting in unauthorized disclosure of sensitive information from the affected browser process.
The Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21279 provides official guidance on available updates and mitigation steps for the affected Edge versions.
EPSS scores for the CVE remain low, with a current value of 0.0091 and a recorded peak of 0.0146.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-2344
Vulnerability details
Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Browser RCE with UI:R enables drive-by compromise (T1189) and client-side exploitation for code execution (T1203).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the RCE vulnerability by requiring timely application of Microsoft patches for the specific flaw in Edge as referenced in the update guide.
Provides defense-in-depth through malicious code protection mechanisms that detect and block exploit payloads targeting the browser RCE.
Identifies unpatched Edge installations vulnerable to this CVE via regular vulnerability scanning.