🟢 CVE-2025-21391

CVE-2025-21391 is a Windows Storage elevation of privilege vulnerability affecting multiple Windows versions and Windows Server editions. Despite being in CISA KEV, this is a local privilege escalation vulnerability requiring prior system access, not a direct internet-exploitable flaw.

← Back to Overview
LOW_RISK
Risk Level
7.1
CVSS Score
LOCAL
Attack Vector
Privilege Escalation
ATT&CK Tactic
T1068 — Exploitation for Privilege Escalation
ATT&CK Technique
LOW
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: OTHER

CVE Published: 2025-02-11

Added to CISA KEV: 2025-02-11 0 DAY BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2025-21391 is a security vulnerability in Microsoft Windows that was disclosed and patched in February 2025 [2].

Overview and Impact
  • Vulnerability Type: It is classified as a "link following" vulnerability in Windows Storage, leading to an Elevation of Privilege (EoP) [1] [6].
  • Impact: Successful exploitation allows an attacker to escalate their privileges on the system and gain the ability to delete targeted files [1].
  • Severity: It has a CVSSv3 score of 7.1 and is categorized as "Important" [1] [3].
Exploitation and Attack Method
  • Active Exploitation: Microsoft confirmed that this vulnerability was being actively exploited in the wild at the time of its disclosure in February 2025 [1] [2].
  • Requirements:
* Access: It is a local vulnerability (AV:L), meaning an attacker must already have some level of access to the target system [3]. * User Interaction: Exploitation does not require user interaction (UI:N) [3]. * Privileges: It requires low privileges (PR:L) to execute [3].
  • Threat Actor Usage: While it was confirmed to be exploited in the wild, specific details regarding the threat actors or whether it was used in specific ransomware campaigns were not publicly attributed in the initial disclosure reports [2].
Availability and Mitigation
  • Exploit Availability: As of the disclosure period, there were no reports of public exploit code, though it was noted that private exploits existed [5].
  • Status: The vulnerability is included in the CISA Known Exploited Vulnerabilities (KEV) Catalog, which mandates that federal agencies apply the necessary patches [4].
  • Patching: Users should ensure their systems are updated with the security patches released by Microsoft in February 2025 to mitigate this risk [1].

Sources

  1. Microsoft Releases February 2025 Security Updates - NHS Digital

    CVE-2025-21391 is a 'link following' vulnerability in Windows and Windows Server with a CVSSv3 score of 7.1. Successful exploitation could allow ... Microsoft has stated that exploitation of the vulnerabilities CVE-2025-21418 and CVE-2025-21391 has been observed. ... CVE-2025-21391 is a ' link follo…

  2. Microsoft fixes two actively exploited zero-days (CVE-2025-21418 ...

    CVE-2025-21391 affects Windows Storage in various Windows and Windows Server version. It is another elevation of privilege flaw that, according ... CVE-2025-21418 and CVE-2025-21391. CVE-2025-21418 is a vulnerability in the Windows Ancillary Function Driver (AFD.sys), which interfaces with the Windo…

  3. CVE-2025-21391 - Exploits & Severity - Feedly

    Windows Storage Elevation of Privilege Vulnerability CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H ... Feedly found the first article mentioning CVE-2025-21391. ... NVD published the first details for CVE-2025-21391 ... CVE-2025-21391 is a Windows Storage Elevation of Privilege vulnerability with a…

  4. CVE-2025-21391 : Windows Storage Elevation of Privilege Vulnerability

    CVE-2025-21391 is in the CISA Known Exploited Vulnerabilities Catalog CISA vulnerability name: Microsoft Windows Storage Link Following Vulnerability CISA required action:…

  5. CVE-2025-21373 - Exploits & Severity - Feedly

    Two with signs of exploitation in the wild: EoP – Windows Ancillary Function Driver for WinSock (CVE-2025-21418) EoP – Windows Storage (CVE-2025-21391) There are no vulnerabilities with public exploits, but there are 7 with private ones: RCE – Microsoft Edge (CVE-2025-21279, CVE-2025-21283) Auth. ..

  6. NVD - CVE-2025-21391

    Microsoft Windows Storage Link Following Vulnerability. 02/11/2025. 03/04/2025. Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable. Weakness Enumeration.Microsoft Windows Storage Link Following Vulnerability. New CVE Received from Microsoft Cor…

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed