CVE-2025-21172

High

Published: 14 January 2025

Published

14 January 2025

Modified

06 May 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0043 62.7th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

.NET and Visual Studio Remote Code Execution Vulnerability

Security Summary

CVE-2025-21172 is a Remote Code Execution vulnerability affecting .NET and Visual Studio. Published on 2025-01-14, it is associated with CWE-122 (Heap-based Buffer Overflow), CWE-190 (Integer Overflow or Wraparound), and NVD-CWE-noinfo. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

An unauthenticated attacker can exploit this vulnerability over the network, though successful attacks require high complexity and user interaction, such as a victim opening a malicious file or interacting with crafted content. Exploitation enables remote code execution, granting high-impact access to confidentiality, integrity, and availability within the scope of the affected process.

Microsoft's Security Response Center update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21172 provides details on patches and mitigation steps, with additional information available at https://www.herodevs.com/vulnerability-directory/cve-2025-21172.

Details

CWE(s): CWE-122CWE-190NVD-CWE-noinfo

Affected Products

microsoft

.net

8.0.0, 9.0.0

microsoft

visual studio 2017

15.0 — 15.8

microsoft

visual studio 2019

16.0 — 16.10

microsoft

visual studio 2022

17.6.0 — 17.6.22 · 17.8.0 — 17.8.17 · 17.10.0 — 17.10.10

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21172
Vendor Advisory · secure@microsoft.com
https://www.herodevs.com/vulnerability-directory/cve-2025-21172
af854a3a-2127-422b-91ae-364da2661108