Cyber Posture

CVE-2025-62459

High

Published: 20 November 2025

Published
20 November 2025
Modified
10 December 2025
KEV Added
Patch
CVSS Score 8.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L
EPSS Score 0.0005 14.8th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-62459 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Microsoft 365 Defender Portal. Its CVSS base score is 8.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly requires identification, reporting, and correction of the specific spoofing flaw in the Microsoft Defender Portal via vendor patches from MSRC.

SI-5 Security Alerts, Advisories, and Directives good match
prevent

Mandates obtaining, disseminating, and implementing security advisories like the MSRC guidance for CVE-2025-62459 to enable timely mitigation.

RA-5 Vulnerability Monitoring and Scanning good match
prevent

Enables scanning for known vulnerabilities such as CVE-2025-62459 in the Defender Portal to identify and address the spoofing issue proactively.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Spoofing vulnerability (CWE-79/XSS) in the public-facing Microsoft Defender Portal enables remote exploitation without privileges via user interaction (e.g., malicious link), directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Microsoft Defender Portal Spoofing Vulnerability

Deeper analysisAI

CVE-2025-62459 is a spoofing vulnerability (CWE-79) affecting the Microsoft Defender Portal. Published on 2025-11-20, it carries a CVSS v3.1 base score of 8.3 (High), reflecting a network-accessible issue (AV:N) with low complexity (AC:L), no required privileges (PR:N), and user interaction needed (UI:R), resulting in high confidentiality and integrity impacts (C:H/I:H), low availability impact (A:L), and unchanged scope (S:U).

An unauthenticated attacker can exploit this vulnerability remotely by tricking a user into performing an action, such as clicking a malicious link or interacting with spoofed content in the Microsoft Defender Portal. Successful exploitation enables the attacker to spoof the portal's interface, potentially leading to unauthorized access to sensitive information or manipulation of user actions, compromising confidentiality and integrity while causing limited disruption to availability.

Microsoft's Security Response Center (MSRC) provides detailed guidance on the vulnerability, including patch information and mitigation steps, at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-62459. Security practitioners should consult this advisory for deployment instructions and verify updates to affected Defender Portal instances.

Details

CWE(s)
CWE-79

Affected Products

microsoft
365 defender portal
all versions

CVEs Like This One

CVE-2025-62210Same vendor: Microsoft
CVE-2025-62211Same vendor: Microsoft
CVE-2026-21264Same vendor: Microsoft
CVE-2026-26144Same vendor: Microsoft
CVE-2026-26105Same vendor: Microsoft
CVE-2026-20856Same vendor: Microsoft
CVE-2025-21385Same vendor: Microsoft
CVE-2025-24043Same vendor: Microsoft
CVE-2025-49706Same vendor: Microsoft
CVE-2025-53770Same vendor: Microsoft

References