CVE-2025-21287

Q: What is the severity of CVE-2025-21287?

CVE-2025-21287 has a CVSS score of 7.8 (HIGH). This Windows Installer vulnerability allows authenticated attackers to elevate privileges on affected systems. Attackers could gain SYSTEM-level access by exploiting improper handling of certain operations. This affects Windows systems with the vulnerable Windows Installer component.

7.8 HIGH

📋 TL;DR

This Windows Installer vulnerability allows authenticated attackers to elevate privileges on affected systems. Attackers could gain SYSTEM-level access by exploiting improper handling of certain operations. This affects Windows systems with the vulnerable Windows Installer component.

💻 Affected Systems

Products:

Windows Installer

Versions: Specific Windows versions as detailed in Microsoft advisory

Operating Systems: Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user access to exploit. Systems with Windows Installer service enabled are vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with SYSTEM privileges, enabling complete control over the affected machine, data theft, and lateral movement within the network.

🟠

Likely Case

Local privilege escalation allowing attackers to bypass security controls, install malware, or access restricted resources on compromised systems.

🟢

If Mitigated

Limited impact due to proper access controls, least privilege principles, and network segmentation preventing lateral movement.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring authenticated access to the system first.

🏢 Internal Only: HIGH - Once an attacker gains initial access to a system, they can exploit this to gain elevated privileges and move laterally.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access and specific conditions to trigger the vulnerability. No known public exploits as of analysis.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Microsoft Security Update Guide for specific KB numbers

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21287

Restart Required: No

Instructions:

1. Apply the latest Windows security updates from Microsoft. 2. Use Windows Update or WSUS to deploy patches. 3. Verify patch installation via system update history.

🔧 Temporary Workarounds

Restrict Windows Installer Service

all

Limit Windows Installer service permissions to reduce attack surface

sc config msiserver start= disabled
sc stop msiserver

Implement Least Privilege

all

Ensure users operate with minimal necessary privileges

🧯 If You Can't Patch

Implement strict access controls and network segmentation
Monitor for suspicious Windows Installer service activity

🔍 How to Verify

Check if Vulnerable:

Check Windows version and installed updates against Microsoft advisory

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify security update KB number is installed via Windows Update history

📡 Detection & Monitoring

Log Indicators:

Unusual Windows Installer service activity
Privilege escalation attempts in security logs
Suspicious process creation with elevated privileges

Network Indicators:

Lateral movement from previously compromised systems
Unexpected administrative access patterns

SIEM Query:

EventID=4688 AND NewProcessName LIKE '%msiexec%' AND SubjectUserName != SYSTEM

📊 Metadata

CVE ID: CVE-2025-21287

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-269

EPSS Score: 0.31% exploit probability (53.6th percentile)

Published: January 14, 2025

Last Updated: January 24, 2025

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21287 Patch,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1507 by Microsoft

Windows 10 1507 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows 11 24h2 by Microsoft

Windows Server 2008 by Microsoft