CVE-2025-21206

High

Published: 11 February 2025

Published

11 February 2025

Modified

28 February 2025

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0043 62.9th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Visual Studio Installer Elevation of Privilege Vulnerability

Security Summary

CVE-2025-21206 is an Elevation of Privilege vulnerability in the Visual Studio Installer. Published on 2025-02-11T18:15:31.610, it carries a CVSS v3.1 base score of 7.3 (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H) and is linked to CWE-427 (Untrusted Search Path) as well as NVD-CWE-noinfo.

The vulnerability can be exploited by a local attacker possessing low privileges, requiring low attack complexity and user interaction. Successful exploitation enables privilege escalation, resulting in high impacts to confidentiality, integrity, and availability.

Microsoft provides details on the vulnerability, including mitigation and patch information, in their Security Update Guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21206.

Details

CWE(s): CWE-427NVD-CWE-noinfo

Affected Products

microsoft

visual studio 2017

15.0 — 15.9.70

microsoft

visual studio 2019

16.0 — 16.11.44

microsoft

visual studio 2022

17.8 — 17.8.18 · 17.10 — 17.10.11 · 17.12 — 17.12.5

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21206
Patch, Vendor Advisory · secure@microsoft.com