CVE-2025-21291
Published: 14 January 2025
Summary
CVE-2025-21291 is a high-severity Double Free (CWE-415) vulnerability in Microsoft Windows 10 1809. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 15.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-21291 is a remote code execution vulnerability in the Windows DirectShow component. It carries a CVSS 3.1 base score of 8.8 with the vector string AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H and is also associated with CWE-415.
An unauthenticated remote attacker can exploit the flaw by convincing a user to open a specially crafted file or content over the network, resulting in arbitrary code execution with the privileges of the current user and full impact on confidentiality, integrity, and availability.
Microsoft has published an advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21291 that addresses the issue. The EPSS score remains flat at 0.0225 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-2356
Vulnerability details
Windows Direct Show Remote Code Execution Vulnerability
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Client-side RCE in Windows DirectShow multimedia framework with network vector and required user interaction directly maps to exploitation for client execution and user execution of malicious content.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 requires timely flaw remediation, directly mandating application of Microsoft patches to eliminate the Windows DirectShow RCE vulnerability.
RA-5 implements vulnerability scanning to identify systems affected by CVE-2025-21291 in the DirectShow multimedia framework.
SI-16 provides memory protections like ASLR and DEP that mitigate successful remote code execution even if the DirectShow vulnerability is exploited.