Cyber Resilience

CVE-2025-33054

High

Published: 08 July 2025

Published
08 July 2025
Modified
14 July 2025
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.0116 79.0th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-33054 is a high-severity Insufficient UI Warning of Dangerous Operations (CWE-357) vulnerability in Microsoft Windows 11 22H2. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Remote Desktop Protocol (T1021.001); ranked in the top 21.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-17 (Remote Access) and SC-11 (Trusted Path).

Deeper analysis

The vulnerability CVE-2025-33054 stems from insufficient UI warnings of dangerous operations in the Remote Desktop Client. This flaw, tracked under CWE-357, enables spoofing and carries a CVSS 3.1 score of 8.1 reflecting network attack vector, low complexity, no required privileges, and required user interaction leading to high confidentiality and integrity impacts.

An unauthorized attacker can exploit the issue remotely over a network to conduct spoofing attacks against users of the Remote Desktop Client, potentially tricking them into approving unsafe operations without adequate visual cues.

Microsoft's Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-33054 addresses the vulnerability and is the primary source for official mitigation guidance. The associated EPSS score remains flat at 0.0116 with no material increase observed since disclosure.

EU & UK References

Vulnerability details

Insufficient UI warning of dangerous operations in Remote Desktop Client allows an unauthorized attacker to perform spoofing over a network.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1021.001 Remote Desktop Protocol Lateral Movement
Adversaries may use [Valid Accounts](https://attack.
T1557 Adversary-in-the-Middle Credential Access
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.
Why these techniques?

Vulnerability in RDP client UI warnings directly enables spoofing/MitM-style abuse of Remote Desktop Protocol connections via user interaction.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-24076Same product: Microsoft Windows 11 22H2
CVE-2025-21343Same product: Microsoft Windows 11 22H2
CVE-2025-24994Same product: Microsoft Windows 11 22H2
CVE-2025-21370Same product: Microsoft Windows 11 22H2
CVE-2026-26151Same product: Microsoft Windows 11 23H2
CVE-2025-21325Same product: Microsoft Windows 11 22H2
CVE-2025-24084Same product: Microsoft Windows 11 22H2
CVE-2025-21334Same product: Microsoft Windows 11 22H2
CVE-2025-21333Same product: Microsoft Windows 11 22H2
CVE-2025-21335Same product: Microsoft Windows 11 22H2

Affected Assets

microsoft
windows 11 22h2
≤ 10.0.22621.5624
microsoft
windows 11 23h2
≤ 10.0.22631.5624
microsoft
windows 11 24h2
≤ 10.0.26100.4652
microsoft
windows server 2025
≤ 10.0.26100.4652

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-17 requires protections against spoofing for remote access, directly mitigating the network-based spoofing enabled by insufficient UI warnings in the Remote Desktop Client.

prevent

SC-11 establishes a trusted path that prevents spoofing over remote connections, addressing the UI spoofing vulnerability in RDP sessions.

prevent

SC-23 ensures the authenticity of remote sessions, countering the spoofing attack that exploits poor UI warnings in the Remote Desktop Client.

References