CVE-2025-21187

High

Published: 14 January 2025

Published

14 January 2025

Modified

05 February 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0046 64.1th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Microsoft Power Automate Remote Code Execution Vulnerability

Security Summary

CVE-2025-21187 is a Remote Code Execution vulnerability in Microsoft Power Automate, published on 2025-01-14T18:15:31.187. It carries a CVSS v3.1 base score of 7.8, with vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, and is associated with CWE-94 (code injection) and NVD-CWE-noinfo.

The vulnerability can be exploited by a local attacker with no required privileges, provided they can convince a user to perform some interaction, such as opening a malicious file or triggering a specific workflow. Successful exploitation enables arbitrary code execution in the context of the user, resulting in high impacts to confidentiality, integrity, and availability.

The Microsoft Security Response Center (MSRC) has published an update guide for this vulnerability at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21187, which provides details on mitigation and patching.

Details

CWE(s): CWE-94NVD-CWE-noinfo

Affected Products

microsoft

power automate for desktop

2.46 — 2.46.184.25013 · 2.47 — 2.47.126.25010 · 2.48 — 2.48.164.25010

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21187
Vendor Advisory · secure@microsoft.com