CVE-2025-21419

High

Published: 11 February 2025

Published

11 February 2025

Modified

14 February 2025

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

EPSS Score 0.0023 45.6th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Windows Setup Files Cleanup Elevation of Privilege Vulnerability

Security Summary

CVE-2025-21419 is a Windows Setup Files Cleanup Elevation of Privilege Vulnerability affecting the Windows operating system. Published on 2025-02-11, it carries a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H) and is associated with CWE-59 (Improper Link Resolution Before File Access) and NVD-CWE-noinfo.

A local attacker with low privileges can exploit this vulnerability through low-complexity means without requiring user interaction. Successful exploitation enables privilege escalation, leading to high impacts on system integrity and availability, though confidentiality remains unaffected.

Microsoft's Security Update Guide provides details on mitigation and patching for this vulnerability at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21419.

Details

CWE(s): CWE-59NVD-CWE-noinfo

Affected Products

microsoft

windows 10 1507

≤ 10.0.10240.20915 · ≤ 10.0.10240.20915

microsoft

windows 10 1607

≤ 10.0.14393.7785 · ≤ 10.0.14393.7785

microsoft

windows 10 1809

≤ 10.0.17763.6893 · ≤ 10.0.17763.6893

microsoft

windows 10 21h2

≤ 10.0.19044.5487

microsoft

windows 10 22h2

≤ 10.0.19045.5487

microsoft

windows 11 22h2

≤ 10.0.22621.4890

microsoft

windows 11 23h2

≤ 10.0.22631.4890

microsoft

windows 11 24h2

≤ 10.0.26100.3194

microsoft

windows server 2008

microsoft

windows server 2012

all versions, r2

+5 more product configuration(s) — see NVD for full list

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21419
Patch, Vendor Advisory · secure@microsoft.com