Cyber Posture

CVE-2025-21389

High

Published: 14 January 2025

Published
14 January 2025
Modified
13 February 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0239 85.1th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Uncontrolled resource consumption in Windows Universal Plug and Play (UPnP) Device Host allows an unauthorized attacker to deny service over a network.

Security Summary

CVE-2025-21389, published on 2025-01-14, is an uncontrolled resource consumption vulnerability in the Windows Universal Plug and Play (UPnP) Device Host. This flaw, associated with CWE-400, enables denial of service and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high-impact availability disruption with no confidentiality or integrity effects.

An unauthorized attacker can exploit this vulnerability remotely over a network with low complexity, requiring no privileges or user interaction. Successful exploitation leads to denial of service through excessive resource consumption on the targeted Windows system hosting the UPnP Device Host.

Microsoft's advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21389 provides guidance on patches and mitigation steps.

Details

CWE(s)
CWE-400NVD-CWE-noinfo

Affected Products

microsoft
windows 10 1507
≤ 10.0.10240.20890 · ≤ 10.0.10240.20890
microsoft
windows 10 1607
≤ 10.0.14393.7699 · ≤ 10.0.14393.7699
microsoft
windows 10 1809
≤ 10.0.17763.6775 · ≤ 10.0.17763.6775
microsoft
windows 10 21h2
≤ 10.0.19044.5371
microsoft
windows 10 22h2
≤ 10.0.19045.5371
microsoft
windows 11 22h2
≤ 10.0.22621.4751
microsoft
windows 11 23h2
≤ 10.0.22631.4751
microsoft
windows 11 24h2
≤ 10.0.26100.2894
microsoft
windows server 2008
all versions, r2
microsoft
windows server 2012
all versions, r2
+5 more product configuration(s) — see NVD for full list

References