CVE-2025-21366

High

Published: 14 January 2025

Published

14 January 2025

Modified

01 July 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0212 84.2th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

Microsoft Access Remote Code Execution Vulnerability

Security Summary

CVE-2025-21366 is a Remote Code Execution vulnerability affecting Microsoft Access. Published on 2025-01-14, it is linked to CWE-416 and carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high impact with local attack vector, low complexity, no privileges required, and user interaction needed.

An attacker with local access can exploit this vulnerability by tricking a user into interacting with a malicious Access file or database, such as opening it. Successful exploitation enables remote code execution, granting high confidentiality, integrity, and availability impacts on the affected system.

Microsoft provides mitigation guidance in its update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21366.

Details

CWE(s): CWE-416NVD-CWE-noinfo

Affected Products

microsoft

365 apps

all versions

microsoft

access

2016

microsoft

office

2019

microsoft

office long term servicing channel

2021, 2024

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21366
Patch, Vendor Advisory · secure@microsoft.com