Cyber Resilience

CVE-2025-21297

High

Published: 14 January 2025

Published
14 January 2025
Modified
24 January 2025
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0173 82.8th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21297 is a high-severity Use After Free (CWE-416) vulnerability in Microsoft Windows Server 2012. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 17.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-21297 is a remote code execution vulnerability in Windows Remote Desktop Services, assigned a CVSS v3.1 base score of 8.1 with the vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H and linked to CWE-416. The flaw affects the Remote Desktop Services component and was publicly disclosed on 14 January 2025.

An unauthenticated attacker can exploit the issue remotely over the network, albeit with high attack complexity, to achieve arbitrary code execution that impacts confidentiality, integrity, and availability without requiring user interaction or privileges.

Microsoft's Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21297 supplies official mitigation guidance and patch information for affected Windows versions.

The associated EPSS score rose from a low baseline to a recorded peak of 0.0300, indicating increased exploitation interest after disclosure.

EU & UK References

Vulnerability details

Windows Remote Desktop Services Remote Code Execution Vulnerability

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

Remote code execution vulnerability in Windows Remote Desktop Services enables direct exploitation of the remote service without authentication.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-49735Same product: Microsoft Windows Server 2012
CVE-2025-24064Same product: Microsoft Windows Server 2008
CVE-2025-49657Same product: Microsoft Windows Server 2008
CVE-2026-0386Same product: Microsoft Windows Server 2008
CVE-2025-49676Same product: Microsoft Windows Server 2008
CVE-2025-49757Same product: Microsoft Windows Server 2008
CVE-2025-21295Same product: Microsoft Windows Server 2008
CVE-2025-21296Same product: Microsoft Windows Server 2008
CVE-2025-21406Same product: Microsoft Windows Server 2008
CVE-2025-49688Same product: Microsoft Windows Server 2012

Affected Assets

microsoft
windows server 2008
r2
microsoft
windows server 2012
all versions, r2
microsoft
windows server 2016
≤ 10.0.14393.7699
microsoft
windows server 2019
≤ 10.0.17763.6775
microsoft
windows server 2022
≤ 10.0.20348.3091
microsoft
windows server 2022 23h2
≤ 10.0.25398.1369
microsoft
windows server 2025
≤ 10.0.26100.2894

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely patching and remediation of known vulnerabilities like CVE-2025-21297 in Windows Remote Desktop Services to prevent remote code execution.

prevent

Restricts systems to least functionality by disabling or prohibiting unnecessary Remote Desktop Services, eliminating the attack surface for this RCE vulnerability.

AC-17 Remote Access partial match
prevent

Establishes controls and restrictions for remote access mechanisms like Remote Desktop Services, such as managed gateways or VPNs, to limit exposure to unauthenticated network-based exploitation.

References