Cyber Resilience

CVE-2025-21376

High

Published: 11 February 2025

Published
11 February 2025
Modified
26 February 2025
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0144 81.2th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21376 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 18.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability CVE-2025-21376 is a remote code execution flaw in the Windows Lightweight Directory Access Protocol (LDAP) component. It carries a CVSS 3.1 base score of 8.1 and is associated with weaknesses including heap-based buffer overflows, integer underflows, and race conditions.

An unauthenticated attacker can target the flaw over the network without user interaction. Successful exploitation, which requires high attack complexity, grants the ability to execute arbitrary code with full impact on confidentiality, integrity, and availability.

Microsoft has published an advisory detailing the issue and available updates through its Security Response Center. The current EPSS score of 0.0144 shows no material increase since disclosure.

EU & UK References

Vulnerability details

Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

The CVE describes an unauthenticated remote code execution vulnerability in the Windows LDAP component accessible over the network, directly mapping to exploitation of a remote service to execute arbitrary code.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-21250Same product: Microsoft Windows 10 1507
CVE-2025-21282Same product: Microsoft Windows 10 1507
CVE-2025-21200Same product: Microsoft Windows 10 1507
CVE-2025-21306Same product: Microsoft Windows 10 1507
CVE-2025-21236Same product: Microsoft Windows 10 1507
CVE-2025-21252Same product: Microsoft Windows 10 1507
CVE-2025-24051Same product: Microsoft Windows 10 1507
CVE-2025-21286Same product: Microsoft Windows 10 1507
CVE-2025-21223Same product: Microsoft Windows 10 1507
CVE-2025-21246Same product: Microsoft Windows 10 1507

Affected Assets

microsoft
windows 10 1507
≤ 10.0.10240.20915 · ≤ 10.0.10240.20915
microsoft
windows 10 1607
≤ 10.0.14393.7785 · ≤ 10.0.14393.7785
microsoft
windows 10 1809
≤ 10.0.17763.6893 · ≤ 10.0.17763.6893
microsoft
windows 10 21h2
≤ 10.0.19044.5487
microsoft
windows 10 22h2
≤ 10.0.19045.5487
microsoft
windows 11 22h2
≤ 10.0.22621.4890
microsoft
windows 11 23h2
≤ 10.0.22631.4890
microsoft
windows 11 24h2
≤ 10.0.26100.3194
microsoft
windows server 2008
all versions, r2
microsoft
windows server 2012
all versions, r2
+5 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the LDAP RCE vulnerability by requiring timely remediation through application of vendor-provided patches as specified in the MSRC update guide.

detect

Identifies systems vulnerable to CVE-2025-21376 via regular vulnerability scanning for known flaws like heap buffer overflows in the Windows LDAP component.

prevent

Limits remote network exposure to the LDAP service by enforcing boundary protections such as firewalls restricting access to LDAP ports (389/TCP, 636/TCP).

References