Cyber Resilience

CVE-2025-21311

Critical

Published: 14 January 2025

Published
14 January 2025
Modified
24 January 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0442 89.3th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21311 is a critical-severity Incorrect Implementation of Authentication Algorithm (CWE-303) vulnerability in Microsoft Windows 11 24H2. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 10.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).

Deeper analysis

Windows NTLM V1 Elevation of Privilege Vulnerability CVE-2025-21311 affects the Windows implementation of the NTLM version 1 authentication protocol. The flaw carries a CVSS 3.1 score of 9.8 and is associated with CWE-303, indicating an incorrect implementation of an authentication algorithm that can be reached over the network without credentials or user interaction.

An unauthenticated attacker can exploit the vulnerability remotely to obtain elevated privileges equivalent to those of a local administrator, resulting in full compromise of confidentiality, integrity, and availability on the target system.

Microsoft’s advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21311 addresses the issue and supplies the corresponding security update. The associated EPSS score rose from lower values to a peak of 0.0684 on 2026-02-03 before receding to its current level of 0.0442, indicating a temporary increase in observed exploitation interest after disclosure.

EU & UK References

Vulnerability details

Windows NTLM V1 Elevation of Privilege Vulnerability

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The CVE is explicitly described as a remote elevation of privilege vulnerability in the Windows NTLM V1 authentication component with no privileges or user interaction required, directly mapping to exploitation of a software vulnerability for privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-21372Same product: Microsoft Windows 11 24H2
CVE-2025-21315Same product: Microsoft Windows 11 24H2
CVE-2026-21250Same product: Microsoft Windows 11 24H2
CVE-2025-21182Same product: Microsoft Windows 11 24H2
CVE-2025-21183Same product: Microsoft Windows 11 24H2
CVE-2025-24076Same product: Microsoft Windows 11 24H2
CVE-2026-21232Same product: Microsoft Windows 11 24H2
CVE-2026-33101Same product: Microsoft Windows 11 24H2
CVE-2026-24283Same product: Microsoft Windows 11 24H2
CVE-2026-32076Same product: Microsoft Windows 11 24H2

Affected Assets

microsoft
windows 11 24h2
≤ 10.0.26100.2894
microsoft
windows server 2022 23h2
≤ 10.0.25398.1369
microsoft
windows server 2025
≤ 10.0.26100.2894

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires identification, reporting, and correction of the specific NTLM V1 elevation of privilege flaw through timely application of Microsoft patches.

prevent

Enforces baseline configuration settings to disable or restrict legacy NTLM V1 authentication, directly preventing remote exploitation.

prevent

Limits the impact of successful NTLM V1 privilege escalation by ensuring components execute with minimal privileges necessary.

References