CVE-2025-21396
Published: 29 January 2025
Summary
CVE-2025-21396 is a high-severity Missing Authorization (CWE-862) vulnerability in Microsoft Account. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 15.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-24 (Access Control Decisions).
Deeper analysis
The vulnerability CVE-2025-21396 is a missing authorization flaw (CWE-862) affecting Microsoft Account. It received a CVSS 3.1 score of 8.2 with a network attack vector, low complexity, and no prerequisites for privileges or user interaction, producing limited integrity impact alongside high availability impact.
An unauthenticated attacker can exploit the issue remotely to elevate privileges on the affected Microsoft Account component, enabling unauthorized modifications and service disruption without any user interaction.
Microsoft publishes mitigation details for this vulnerability in its Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21396. The associated EPSS scores remain low, with a current value of 0.0205 and a recorded peak of 0.0279.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-2457
Vulnerability details
Missing authorization in Microsoft Account allows an unauthorized attacker to elevate privileges over a network.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The missing authorization vulnerability directly enables remote unauthorized privilege escalation within Microsoft Account, mapping to exploitation of software vulnerabilities for privilege escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations for logical access to information and system resources, directly mitigating the missing authorization that allows unauthorized privilege escalation.
Employs least privilege to restrict access rights, limiting the scope and impact of privilege elevation from unauthorized actions.
Requires authorization decisions for access to system resources by defined personnel or roles, addressing the lack of authorization checks in privilege elevation paths.