CVE-2025-21218

High

Published: 14 January 2025

Published

14 January 2025

Modified

27 January 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0131 79.9th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Windows Kerberos Denial of Service Vulnerability

Security Summary

CVE-2025-21218 is a Denial of Service vulnerability in the Windows Kerberos authentication component. Published on January 14, 2025, it carries a CVSS v3.1 base score of 7.5 (High), with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, and is associated with CWE-400 (Uncontrolled Resource Consumption).

An unauthenticated attacker can exploit this vulnerability remotely over the network with low complexity and no user interaction. Exploitation leads to a denial of service condition, causing high impact on system availability while having no effect on confidentiality or integrity.

The Microsoft Security Response Center provides vulnerability details and mitigation guidance, including patches, in their update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21218.

Details

CWE(s): CWE-400NVD-CWE-noinfo

Affected Products

microsoft

windows server 2012

all versions, r2

microsoft

windows server 2016

≤ 10.0.14393.7699

microsoft

windows server 2019

≤ 10.0.17763.6775

microsoft

windows server 2022

≤ 10.0.20348.3091

microsoft

windows server 2022 23h2

≤ 10.0.25398.1369

microsoft

windows server 2025

≤ 10.0.26100.2894

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21218
Patch, Vendor Advisory · secure@microsoft.com