CVE-2025-21385 – This Server-Side Request Forgery (SSRF) vulnera... (How to Fix)

Q: What is the severity of CVE-2025-21385?

CVE-2025-21385 has a CVSS score of 8.8 (HIGH). This Server-Side Request Forgery (SSRF) vulnerability in Microsoft Purview allows authenticated attackers to make the application send requests to internal systems, potentially exposing sensitive data or services. Organizations using Microsoft Purview are affected, particularly those with internet-facing instances or insufficient network segmentation.

📋 TL;DR

This Server-Side Request Forgery (SSRF) vulnerability in Microsoft Purview allows authenticated attackers to make the application send requests to internal systems, potentially exposing sensitive data or services. Organizations using Microsoft Purview are affected, particularly those with internet-facing instances or insufficient network segmentation.

💻 Affected Systems

Products:

Microsoft Purview

Versions: Specific versions not yet detailed in public advisory

Operating Systems: Windows Server, Linux (for containerized deployments)

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access; exact affected configurations depend on Purview deployment model and features enabled.

📦 What is this software?

Purview by Microsoft

View all CVEs affecting Purview →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker accesses internal services, exfiltrates sensitive data, or performs lateral movement to critical systems.

🟠

Likely Case

Information disclosure from internal APIs, metadata services, or cloud instance metadata endpoints.

🟢

If Mitigated

Limited impact due to network segmentation, egress filtering, and proper authentication controls.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires understanding of Purview's API endpoints and internal network layout.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Microsoft Security Update Guide for specific patch versions

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21385

Restart Required: No

Instructions:

1. Review Microsoft Security Update Guide for CVE-2025-21385. 2. Apply the latest security updates for Microsoft Purview. 3. Verify update installation through Purview admin portal.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict Purview server's outbound network access to only necessary endpoints

Input Validation

all

Implement strict validation on all URL/endpoint parameters in Purview configurations

🧯 If You Can't Patch

Implement network egress filtering to block Purview servers from accessing internal services
Enable audit logging for all Purview API calls and monitor for unusual request patterns

🔍 How to Verify

Check if Vulnerable:

Check Purview version against patched versions in Microsoft advisory

Check Version:

Get-PurviewVersion (PowerShell) or check Purview admin portal

Verify Fix Applied:

Verify patch installation through Purview admin portal or version check commands

📡 Detection & Monitoring

Log Indicators:

Unusual outbound requests from Purview servers
SSRF patterns in application logs
Failed authentication attempts followed by internal requests

Network Indicators:

Purview servers making requests to internal IP ranges
Unexpected traffic to metadata services (169.254.169.254)

SIEM Query:

source="purview" AND (url_contains="internal" OR dest_ip=private_range) AND user_agent="Purview"

📊 Metadata

CVE ID: CVE-2025-21385

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-918

EPSS Score: 52.13% exploit probability (97.8th percentile)

Published: January 9, 2025

Last Updated: February 5, 2025

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21385 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-21385, you might also want to check these: