CVE-2025-21410

High

Published: 11 February 2025

Published

11 February 2025

Modified

14 February 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0016 37.1th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

Security Summary

CVE-2025-21410 is a Remote Code Execution vulnerability in the Windows Routing and Remote Access Service (RRAS). Published on 2025-02-11, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is associated with CWE-122 and NVD-CWE-noinfo.

The vulnerability can be exploited by an unauthenticated attacker over the network with low attack complexity, though it requires user interaction. Successful exploitation enables remote code execution, resulting in high impacts to confidentiality, integrity, and availability.

Microsoft's Security Response Center provides vulnerability details and patch information in their update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21410.

Details

CWE(s): CWE-122NVD-CWE-noinfo

Affected Products

microsoft

windows server 2008

all versions, r2

microsoft

windows server 2012

all versions, r2

microsoft

windows server 2016

≤ 10.0.14393.7785

microsoft

windows server 2019

≤ 10.0.17763.6893

microsoft

windows server 2022

≤ 10.0.20348.3207

microsoft

windows server 2022 23h2

≤ 10.0.25398.1425

microsoft

windows server 2025

≤ 10.0.26100.3194

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21410
Patch, Vendor Advisory · secure@microsoft.com