CVE-2025-21283

Medium

Published: 06 February 2025

Published

06 February 2025

Modified

11 February 2025

KEV Added

—

Patch

—

CVSS Score 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

EPSS Score 0.0042 62.0th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21283 is a medium-severity Insufficient Granularity of Address Regions Protected by Register Locks (CWE-1222) vulnerability in Microsoft Edge Chromium. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked in the top 38.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Drive-by Compromise (T1189) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires timely identification, reporting, prioritization, and remediation of flaws like CVE-2025-21283 through vendor patches for Microsoft Edge.

SI-5 Security Alerts, Advisories, and Directives good match

detect

Mandates monitoring and dissemination of security alerts and advisories, such as the MSRC update guide for this Edge RCE vulnerability, to enable prompt patching.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Requires vulnerability scanning and monitoring to identify systems running vulnerable versions of Chromium-based Microsoft Edge affected by this RCE flaw.

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

attack.mitre.org →

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Browser RCE via malicious webpage directly maps to drive-by compromise (T1189) and client application exploitation for execution (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

Deeper analysisAI

CVE-2025-21283 is a remote code execution vulnerability in Microsoft Edge, the Chromium-based web browser. Published on 2025-02-06, it carries a CVSS v3.1 base score of 6.5, with vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N, and is linked to CWE-1222 as well as NVD-CWE-noinfo.

An unauthenticated remote attacker can exploit this vulnerability over the network with low attack complexity by tricking a user into some form of interaction, such as visiting a malicious webpage. Successful exploitation enables remote code execution within the browser's context, resulting in high confidentiality impact while having no integrity or availability effects.

Microsoft's Security Response Center has issued an update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21283, where security practitioners and users are directed to apply the available patches to mitigate the issue.

Details

CWE(s): CWE-1222 NVD-CWE-noinfo

Affected Products

microsoft

edge chromium

≤ 133.0.3065.51

CVEs Like This One

CVE-2025-21279Same product: Microsoft Edge Chromium

CVE-2025-21342Same product: Microsoft Edge Chromium

CVE-2025-21408Same product: Microsoft Edge Chromium

CVE-2026-21223Same product: Microsoft Edge Chromium

CVE-2025-21239Same vendor: Microsoft

CVE-2025-24081Same vendor: Microsoft

CVE-2025-26645Same vendor: Microsoft

CVE-2026-21510Same vendor: Microsoft

CVE-2025-21362Same vendor: Microsoft

CVE-2026-20952Same vendor: Microsoft

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21283
Vendor Advisory · secure@microsoft.com