CVE-2025-21176

High

Published: 14 January 2025

Published

14 January 2025

Modified

06 May 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0141 80.6th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

.NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability

Security Summary

CVE-2025-21176 is a remote code execution vulnerability affecting .NET, .NET Framework, and Visual Studio. Published on January 14, 2025, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is associated with CWE-126 (Buffer Over-read), though additional CWE details are unavailable from NVD.

An unauthenticated attacker on the network can exploit this vulnerability with low complexity by tricking a user into performing an action, such as interacting with a malicious file or link. Successful exploitation enables remote code execution on the target system, resulting in high impacts to confidentiality, integrity, and availability.

For mitigation details, refer to the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21176 and the HeroDevs vulnerability directory at https://www.herodevs.com/vulnerability-directory/cve-2025-21176.

Details

CWE(s): CWE-126NVD-CWE-noinfo

Affected Products

microsoft

.net

8.0.0, 9.0.0

microsoft

visual studio 2017

15.0 — 15.9.69

microsoft

.net framework

3.5, 4.6, 4.6.2, 4.7, 4.7.1

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21176
Vendor Advisory · secure@microsoft.com
https://www.herodevs.com/vulnerability-directory/cve-2025-21176
af854a3a-2127-422b-91ae-364da2661108