Cyber Posture

CVE-2025-21399

HighPublic PoC

Published: 17 January 2025

Published
17 January 2025
Modified
03 July 2025
KEV Added
Patch
CVSS Score 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0019 41.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Microsoft Edge (Chromium-based) Update Elevation of Privilege Vulnerability

Security Summary

CVE-2025-21399 is an elevation of privilege vulnerability in the update component of Microsoft Edge (Chromium-based). Published on 2025-01-17, it carries a CVSS v3.1 base score of 7.4 (AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-426 (Untrusted Search Path).

The vulnerability can be exploited by a local attacker requiring no privileges or user interaction, though it demands high attack complexity. Successful exploitation enables elevation of privileges, resulting in high impacts to confidentiality, integrity, and availability.

Microsoft's Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21399 details patching guidance. Vicarius provides a detection script at https://www.vicarius.io/vsociety/posts/elevation-of-privilege-vulnerability-in-microsoft-edge-chromium-based-detection-script and a mitigation script at https://www.vicarius.io/vsociety/posts/elevation-of-privilege-vulnerability-in-microsoft-edge-chromium-based-mitigation-script.

Details

CWE(s)
CWE-426

Affected Products

microsoft
edge update
≤ 1.3.195.43

References