Cyber Posture

CVE-2025-21194

High

Published: 11 February 2025

Published
11 February 2025
Modified
08 July 2025
KEV Added
Patch
CVSS Score 7.1 CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0019 40.9th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Microsoft Surface Security Feature Bypass Vulnerability

Security Summary

CVE-2025-21194 is a security feature bypass vulnerability affecting Microsoft Surface devices. Published on 2025-02-11, it carries a CVSS v3.1 base score of 7.1 (High), with vector AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H. The issue is linked to CWE-20 (Improper Input Validation) and lacks additional CWE details from NVD.

An attacker on an adjacent network can exploit this vulnerability with no privileges required but must overcome high attack complexity and rely on user interaction. Successful exploitation enables high-impact consequences, including unauthorized access to confidential data, modification of system integrity, and disruption of availability, effectively bypassing security features on the affected Microsoft Surface component.

For mitigation details, security practitioners should refer to the official Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21194.

Details

CWE(s)
CWE-20NVD-CWE-noinfo

Affected Products

microsoft
surface hub 2s firmware
all versions
microsoft
surface pro 8 for business 1983 firmware
all versions
microsoft
surface laptop go firmware
all versions
microsoft
surface laptop go 2 firmware
all versions
microsoft
surface hub 3 50 firmware
all versions
microsoft
surface pro 7\+ firmware
all versions
microsoft
surface laptop go 3 firmware
all versions
microsoft
surface go 3 firmware
all versions
microsoft
surface pro 9 with 5g 1997 firmware
all versions
microsoft
surface pro 9 with 5g 1996 firmware
all versions
+17 more product configuration(s) — see NVD for full list

References