Cyber Posture

CVE-2025-21311

Critical

Published: 14 January 2025

Published
14 January 2025
Modified
24 January 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0328 87.3th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21311 is a critical-severity Incorrect Implementation of Authentication Algorithm (CWE-303) vulnerability in Microsoft Windows 11 24H2. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 12.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Requires identification, reporting, and correction of the specific NTLM V1 elevation of privilege flaw through timely application of Microsoft patches.

CM-6 Configuration Settings good match
prevent

Enforces baseline configuration settings to disable or restrict legacy NTLM V1 authentication, directly preventing remote exploitation.

AC-6 Least Privilege partial match
prevent

Limits the impact of successful NTLM V1 privilege escalation by ensuring components execute with minimal privileges necessary.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

The CVE is explicitly described as a remote elevation of privilege vulnerability in the Windows NTLM V1 authentication component with no privileges or user interaction required, directly mapping to exploitation of a software vulnerability for privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Windows NTLM V1 Elevation of Privilege Vulnerability

Deeper analysisAI

CVE-2025-21311 is a Windows NTLM V1 Elevation of Privilege Vulnerability, published on 2025-01-14. It affects the NTLM V1 authentication component in Windows systems, as indicated by the CWE-303 association and lack of additional CWE details from NVD.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical. Remote attackers require only network access, with low attack complexity, no privileges, and no user interaction. Exploitation enables elevation of privilege, resulting in high impacts to confidentiality, integrity, and availability.

Microsoft's Security Response Center provides vulnerability update guidance, including patches and mitigations, at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21311.

Details

CWE(s)
CWE-303NVD-CWE-noinfo

Affected Products

microsoft
windows 11 24h2
≤ 10.0.26100.2894
microsoft
windows server 2022 23h2
≤ 10.0.25398.1369
microsoft
windows server 2025
≤ 10.0.26100.2894

CVEs Like This One

CVE-2025-21372Same product: Microsoft Windows 11 24H2
CVE-2025-21315Same product: Microsoft Windows 11 24H2
CVE-2026-21250Same product: Microsoft Windows 11 24H2
CVE-2025-21182Same product: Microsoft Windows 11 24H2
CVE-2025-21183Same product: Microsoft Windows 11 24H2
CVE-2026-24283Same product: Microsoft Windows 11 24H2
CVE-2026-21232Same product: Microsoft Windows 11 24H2
CVE-2026-33101Same product: Microsoft Windows 11 24H2
CVE-2025-24076Same product: Microsoft Windows 11 24H2
CVE-2025-60710Same product: Microsoft Windows 11 24H2

References