CVE-2025-21408

High

Published: 06 February 2025

Published

06 February 2025

Modified

11 February 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0036 58.3th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21408 is a high-severity Type Confusion (CWE-843) vulnerability in Microsoft Edge Chromium. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 41.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the specific remote code execution flaw in Microsoft Edge by requiring timely patching as detailed in the MSRC update guide.

SI-3 Malicious Code Protection partial match

preventdetect

Anti-malware scanning and protection mechanisms prevent or detect malicious payloads exploiting this browser RCE vulnerability via user-interacted links.

RA-5 Vulnerability Monitoring and Scanning partial match

preventdetect

Vulnerability scanning identifies systems running vulnerable versions of Microsoft Edge, enabling remediation before exploitation of CVE-2025-21408.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1204.001 Malicious Link Execution

An adversary may rely upon a user clicking a malicious link in order to gain execution.

attack.mitre.org →

Why these techniques?

Browser RCE vulnerability exploited via malicious link with user interaction directly enables T1203 (Exploitation for Client Execution) and T1204.001 (Malicious Link) for initial code execution on the client system.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

Deeper analysisAI

CVE-2025-21408 is a Remote Code Execution vulnerability in Microsoft Edge, the Chromium-based web browser. Published on 2025-02-06, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is associated with CWE-843 and NVD-CWE-noinfo.

The vulnerability enables exploitation over a network with low attack complexity, requiring no privileges but user interaction, such as clicking a malicious link. Attackers can achieve high impacts on confidentiality, integrity, and availability, allowing remote code execution on affected systems.

Microsoft's Security Response Center update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21408 provides details on patches and mitigation steps.

Details

CWE(s): CWE-843 NVD-CWE-noinfo

Affected Products

microsoft

edge chromium

≤ 133.0.3065.51

CVEs Like This One

CVE-2025-21342Same product: Microsoft Edge Chromium

CVE-2025-21279Same product: Microsoft Edge Chromium

CVE-2025-21283Same product: Microsoft Edge Chromium

CVE-2026-21223Same product: Microsoft Edge Chromium

CVE-2025-21326Same vendor: Microsoft

CVE-2026-26110Same vendor: Microsoft

CVE-2025-62554Same vendor: Microsoft

CVE-2025-53143Same vendor: Microsoft

CVE-2025-53145Same vendor: Microsoft

CVE-2025-53144Same vendor: Microsoft

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21408
Vendor Advisory · secure@microsoft.com