Cyber Resilience

CVE-2025-21396

High

Published: 29 January 2025

Published
29 January 2025
Modified
12 February 2025
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
EPSS Score 0.0205 84.2th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21396 is a high-severity Missing Authorization (CWE-862) vulnerability in Microsoft Account. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 15.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-24 (Access Control Decisions).

Deeper analysis

The vulnerability CVE-2025-21396 is a missing authorization flaw (CWE-862) affecting Microsoft Account. It received a CVSS 3.1 score of 8.2 with a network attack vector, low complexity, and no prerequisites for privileges or user interaction, producing limited integrity impact alongside high availability impact.

An unauthenticated attacker can exploit the issue remotely to elevate privileges on the affected Microsoft Account component, enabling unauthorized modifications and service disruption without any user interaction.

Microsoft publishes mitigation details for this vulnerability in its Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21396. The associated EPSS scores remain low, with a current value of 0.0205 and a recorded peak of 0.0279.

EU & UK References

Vulnerability details

Missing authorization in Microsoft Account allows an unauthorized attacker to elevate privileges over a network.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The missing authorization vulnerability directly enables remote unauthorized privilege escalation within Microsoft Account, mapping to exploitation of software vulnerabilities for privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-35438Same vendor: Microsoft
CVE-2025-49723Same vendor: Microsoft
CVE-2026-21264Same product: Microsoft Account
CVE-2025-49747Same vendor: Microsoft
CVE-2026-8547Same vendor: Microsoft
CVE-2026-21231Same vendor: Microsoft
CVE-2026-32091Same vendor: Microsoft
CVE-2026-25174Same vendor: Microsoft
CVE-2026-42823Same vendor: Microsoft
CVE-2025-59247Same vendor: Microsoft

Affected Assets

microsoft
account
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for logical access to information and system resources, directly mitigating the missing authorization that allows unauthorized privilege escalation.

prevent

Employs least privilege to restrict access rights, limiting the scope and impact of privilege elevation from unauthorized actions.

prevent

Requires authorization decisions for access to system resources by defined personnel or roles, addressing the lack of authorization checks in privilege elevation paths.

References