CVE-2025-21304
Published: 14 January 2025
Summary
CVE-2025-21304 is a high-severity Use After Free (CWE-416) vulnerability in Microsoft Windows 10 1607. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 48.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the use-after-free vulnerability in the DWM Core Library by identifying, testing, and applying vendor-provided patches.
Implements memory safeguards such as ASLR, DEP, and control-flow integrity that hinder exploitation of the use-after-free error.
Enforces least privilege for local accounts, limiting the ability of low-privileged attackers to trigger the elevation of privilege vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a local elevation of privilege vulnerability in DWM Core Library via use-after-free, enabling a low-privileged attacker to achieve arbitrary code execution as SYSTEM; this directly maps to Exploitation for Privilege Escalation.
NVD Description
Microsoft DWM Core Library Elevation of Privilege Vulnerability
Deeper analysisAI
CVE-2025-21304 is an elevation of privilege vulnerability in the Microsoft DWM Core Library, stemming from a use-after-free error (CWE-416). It affects the Desktop Window Manager Core Library component in Microsoft Windows operating systems. The vulnerability has a CVSS v3.1 base score of 7.8 (High), with vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating local access is required, low attack complexity, low privileges needed, no user interaction, unchanged scope, and high impacts on confidentiality, integrity, and availability.
A low-privileged local attacker can exploit this vulnerability to elevate privileges on the affected system. By triggering the use-after-free condition in the DWM Core Library, the attacker can achieve arbitrary code execution with SYSTEM-level privileges, potentially leading to full system compromise, data theft, modification of critical files, or disruption of services.
Microsoft's security advisory provides details on mitigation and available patches at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21304. Security practitioners should apply the recommended updates promptly to address this issue.
Details
- CWE(s)