CVE-2025-21400

High

Published: 11 February 2025

Published

11 February 2025

Modified

14 February 2025

KEV Added

—

Patch

—

CVSS Score 8.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0168 82.3th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21400 is a high-severity Improper Authorization (CWE-285) vulnerability in Microsoft Sharepoint Server. Its CVSS base score is 8.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 17.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-5 (Security Alerts, Advisories, and Directives).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates CVE-2025-21400 by requiring timely remediation of known flaws through application of Microsoft SharePoint Server patches as per the vendor advisory.

SI-5 Security Alerts, Advisories, and Directives good match

prevent

Ensures organizations receive and act on security advisories like the Microsoft MSRC update guide for CVE-2025-21400 to enable prompt flaw remediation.

RA-5 Vulnerability Monitoring and Scanning partial match

preventdetect

Provides vulnerability scanning to identify the presence of CVE-2025-21400 in SharePoint Server instances, enabling targeted patching before exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

RCE vulnerability in SharePoint Server requires low privileges to exploit over the network, directly enabling privilege escalation to achieve arbitrary code execution on the server.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Microsoft SharePoint Server Remote Code Execution Vulnerability

Deeper analysisAI

CVE-2025-21400 is a Remote Code Execution vulnerability affecting Microsoft SharePoint Server. Published on 2025-02-11, it carries a CVSS v3.1 base score of 8.0 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H) and is associated with CWE-285 as well as NVD-CWE-noinfo.

An attacker with low privileges can exploit this vulnerability over the network with low complexity, though it requires user interaction. Successful exploitation enables remote code execution, resulting in high impacts to confidentiality, integrity, and availability without scope change.

Microsoft has published an advisory with mitigation guidance in their update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21400.

Details

CWE(s): CWE-285 NVD-CWE-noinfo

Affected Products

microsoft

sharepoint server

2016, 2019 · ≤ 16.0.17928.20396

CVEs Like This One

CVE-2025-49701Same product: Microsoft Sharepoint Server

CVE-2025-21348Same product: Microsoft Sharepoint Server

CVE-2026-20947Same product: Microsoft Sharepoint Server

CVE-2026-26105Same product: Microsoft Sharepoint Server

CVE-2025-59228Same product: Microsoft Sharepoint Server

CVE-2025-21344Same product: Microsoft Sharepoint Server

CVE-2025-53795Same vendor: Microsoft

CVE-2026-32201Same product: Microsoft Sharepoint Server

CVE-2025-53770Same product: Microsoft Sharepoint Server

CVE-2025-21275Same vendor: Microsoft

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21400
Patch, Vendor Advisory · secure@microsoft.com