CVE-2025-21370

High

Published: 14 January 2025

Published

14 January 2025

Modified

17 January 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0061 69.8th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerability

Security Summary

CVE-2025-21370 is a Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerability. It affects the VBS Enclave component in Windows systems that utilize virtualization-based security features. The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-20 (Improper Input Validation), as indicated by NVD-CWE-noinfo. It was published on 2025-01-14.

A local attacker with low privileges can exploit this vulnerability through low-complexity techniques requiring no user interaction. Successful exploitation enables elevation of privileges, resulting in high impacts to confidentiality, integrity, and availability within the affected scope.

Microsoft's Security Response Center provides an update guide for mitigation details at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21370.

Details

CWE(s): CWE-20NVD-CWE-noinfo

Affected Products

microsoft

windows 11 22h2

≤ 10.0.22621.4751

microsoft

windows 11 23h2

≤ 10.0.22631.4751

microsoft

windows 11 24h2

≤ 10.0.26100.2894

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21370
Patch, Vendor Advisory · secure@microsoft.com