Cyber Resilience

CVE-2025-21326

High

Published: 14 January 2025

Published
14 January 2025
Modified
22 January 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0073 73.2th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21326 is a high-severity Type Confusion (CWE-843) vulnerability in Microsoft Windows Server 2022 23H2. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 26.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-21326 is an Internet Explorer Remote Code Execution Vulnerability, published on 2025-01-14T18:15:57.170. It affects Internet Explorer and has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). The vulnerability is associated with CWE-843 and NVD-CWE-noinfo.

The attack requires local access (AV:L) with low attack complexity (AC:L) and no privileges (PR:N), but user interaction is required (UI:R). A local attacker can exploit it by tricking the user into performing a specific action, such as interacting with a malicious webpage or file in Internet Explorer. Successful exploitation enables remote code execution in the context of the user, leading to high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) with unchanged scope (S:U).

The Microsoft Security Response Center (MSRC) advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21326 provides details on the vulnerability, including recommended patches and mitigation steps.

EU & UK References

Vulnerability details

Internet Explorer Remote Code Execution Vulnerability

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

The CVE is an RCE vulnerability in the Internet Explorer client application requiring user interaction with a malicious webpage or file, directly mapping to Exploitation for Client Execution (T1203) and User Execution via malicious link/file (T1204.001/T1204.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-21408Same vendor: Microsoft
CVE-2025-21342Same vendor: Microsoft
CVE-2026-35417Same product: Microsoft Windows Server 2022 23H2
CVE-2026-26110Same vendor: Microsoft
CVE-2025-62554Same vendor: Microsoft
CVE-2025-50171Same product: Microsoft Windows Server 2022 23H2
CVE-2025-21372Same product: Microsoft Windows Server 2022 23H2
CVE-2025-21315Same product: Microsoft Windows Server 2022 23H2
CVE-2026-21519Same product: Microsoft Windows Server 2022 23H2
CVE-2025-21311Same product: Microsoft Windows Server 2022 23H2

Affected Assets

microsoft
windows server 2022 23h2
≤ 10.0.25398.1369
microsoft
windows server 2025
≤ 10.0.26100.2894

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the Internet Explorer RCE vulnerability by requiring timely installation of Microsoft patches as specified in the MSRC advisory.

prevent

Eliminates exposure to this and similar vulnerabilities by prohibiting, replacing, or additionally controlling unsupported Internet Explorer components.

prevent

Provides memory protections like DEP and ASLR that hinder successful remote code execution even if the vulnerability is triggered.

References