CVE-2025-21396

High

Published: 29 January 2025

Published

29 January 2025

Modified

12 February 2025

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

EPSS Score 0.0205 84.0th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21396 is a high-severity Missing Authorization (CWE-862) vulnerability in Microsoft Account. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 16.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-24 (Access Control Decisions).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for logical access to information and system resources, directly mitigating the missing authorization that allows unauthorized privilege escalation.

AC-6 Least Privilege partial match

prevent

Employs least privilege to restrict access rights, limiting the scope and impact of privilege elevation from unauthorized actions.

AC-24 Access Control Decisions partial match

prevent

Requires authorization decisions for access to system resources by defined personnel or roles, addressing the lack of authorization checks in privilege elevation paths.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

The missing authorization vulnerability directly enables remote unauthorized privilege escalation within Microsoft Account, mapping to exploitation of software vulnerabilities for privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Missing authorization in Microsoft Account allows an unauthorized attacker to elevate privileges over a network.

Deeper analysisAI

CVE-2025-21396 is a missing authorization vulnerability (CWE-862) affecting Microsoft Account. Published on 2025-01-29, it enables an unauthorized attacker to elevate privileges over a network. The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H), reflecting high severity from its network reachability, low complexity, lack of required privileges or user interaction, and impacts on integrity (low) and availability (high).

An unauthenticated attacker (PR:N) can exploit this flaw remotely over the network (AV:N) with low complexity and no user interaction. Exploitation allows privilege elevation within Microsoft Account, potentially disrupting service availability at a high level while causing low-level integrity violations, such as unauthorized modifications.

The official Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21396 provides details on mitigation, including any available patches or workarounds.

Details

CWE(s): CWE-862

Affected Products

microsoft

account

all versions

CVEs Like This One

CVE-2026-21264Same product: Microsoft Account

CVE-2025-49723Same vendor: Microsoft

CVE-2025-49747Same vendor: Microsoft

CVE-2025-54914Same vendor: Microsoft

CVE-2026-24293Same vendor: Microsoft

CVE-2025-21359Same vendor: Microsoft

CVE-2025-21367Same vendor: Microsoft

CVE-2025-49739Same vendor: Microsoft

CVE-2026-32164Same vendor: Microsoft

CVE-2025-21325Same vendor: Microsoft

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21396
Vendor Advisory · secure@microsoft.com