CVE-2025-21366
Published: 14 January 2025
Summary
CVE-2025-21366 is a high-severity Use After Free (CWE-416) vulnerability in Microsoft Office Long Term Servicing Channel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 16.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
Microsoft Access contains a remote code execution vulnerability tracked as CVE-2025-21366. The flaw is associated with CWE-416 and carries a CVSS 3.1 score of 7.8, reflecting local attack vector, low complexity, no privileges required, and required user interaction, resulting in high impact to confidentiality, integrity, and availability.
An attacker can exploit the issue by supplying a specially crafted file that a user opens in Microsoft Access. Successful exploitation grants the ability to execute arbitrary code in the context of the current user without needing elevated privileges.
The official advisory published by Microsoft at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21366 addresses mitigation steps and available updates. The associated EPSS score remains low, with a current value of 0.0186 and a peak of 0.0212.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-2429
Vulnerability details
Microsoft Access Remote Code Execution Vulnerability
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a client-side RCE in Microsoft Access triggered when a user opens a malicious file/database, directly mapping to T1203 (Exploitation for Client Execution) and T1204.002 (Malicious File).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 mandates timely flaw remediation, directly preventing exploitation by applying Microsoft patches for this specific Access RCE vulnerability.
SI-16 enforces memory protections like ASLR, DEP, and canaries that comprehensively mitigate use-after-free (CWE-416) exploitation attempts.
SI-3 deploys malicious code protection to scan Access files for threats and detect behavioral indicators of RCE during file opening.