CVE-2025-21366

High

Published: 14 January 2025

Published

14 January 2025

Modified

01 July 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0206 84.0th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21366 is a high-severity Use After Free (CWE-416) vulnerability in Microsoft Office Long Term Servicing Channel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 16.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

SI-2 mandates timely flaw remediation, directly preventing exploitation by applying Microsoft patches for this specific Access RCE vulnerability.

SI-16 Memory Protection good match

prevent

SI-16 enforces memory protections like ASLR, DEP, and canaries that comprehensively mitigate use-after-free (CWE-416) exploitation attempts.

SI-3 Malicious Code Protection partial match

preventdetect

SI-3 deploys malicious code protection to scan Access files for threats and detect behavioral indicators of RCE during file opening.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1204.002 Malicious File Execution

An adversary may rely upon a user opening a malicious file in order to gain execution.

attack.mitre.org →

Why these techniques?

The CVE describes a client-side RCE in Microsoft Access triggered when a user opens a malicious file/database, directly mapping to T1203 (Exploitation for Client Execution) and T1204.002 (Malicious File).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Microsoft Access Remote Code Execution Vulnerability

Deeper analysisAI

CVE-2025-21366 is a Remote Code Execution vulnerability affecting Microsoft Access. Published on 2025-01-14, it is linked to CWE-416 and carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high impact with local attack vector, low complexity, no privileges required, and user interaction needed.

An attacker with local access can exploit this vulnerability by tricking a user into interacting with a malicious Access file or database, such as opening it. Successful exploitation enables remote code execution, granting high confidentiality, integrity, and availability impacts on the affected system.

Microsoft provides mitigation guidance in its update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21366.

Details

CWE(s): CWE-416 NVD-CWE-noinfo

Affected Products

microsoft

365 apps

all versions

microsoft

access

2016

microsoft

office

2019

microsoft

office long term servicing channel

2021, 2024

CVEs Like This One

CVE-2025-26630Same product: Microsoft 365 Apps

CVE-2025-21345Same product: Microsoft 365 Apps

CVE-2025-21392Same product: Microsoft 365 Apps

CVE-2025-24079Same product: Microsoft 365 Apps

CVE-2026-20952Same product: Microsoft 365 Apps

CVE-2025-62557Same product: Microsoft 365 Apps

CVE-2025-21395Same product: Microsoft 365 Apps

CVE-2025-21386Same product: Microsoft 365 Apps

CVE-2025-49695Same product: Microsoft 365 Apps

CVE-2026-20950Same product: Microsoft 365 Apps

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21366
Patch, Vendor Advisory · secure@microsoft.com