CVE-2025-21385

CVE-2025-21385 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, affecting Microsoft Purview. Published on January 9, 2025, it enables an authorized attacker to disclose information over a network. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability.

An authorized attacker with low privileges can exploit this SSRF remotely over the network with low attack complexity and no user interaction required. Successful exploitation allows the attacker to force the server to make unauthorized requests, leading to sensitive information disclosure across the network, as well as potential integrity and availability disruptions aligned with the high CVSS impact metrics.

For mitigation details, refer to the official Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21385, which provides guidance on patches and workarounds.