CVE-2025-21419

Q: What is the severity of CVE-2025-21419?

CVE-2025-21419 has a CVSS score of 7.1 (HIGH). This vulnerability allows an authenticated attacker to exploit Windows Setup cleanup processes to gain SYSTEM privileges on affected systems. It affects Windows systems where the attacker has local access and can execute code with standard user permissions. The vulnerability leverages improper handling of file cleanup operations during Windows Setup.

7.1 HIGH

📋 TL;DR

This vulnerability allows an authenticated attacker to exploit Windows Setup cleanup processes to gain SYSTEM privileges on affected systems. It affects Windows systems where the attacker has local access and can execute code with standard user permissions. The vulnerability leverages improper handling of file cleanup operations during Windows Setup.

💻 Affected Systems

Products:

Microsoft Windows

Versions: Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems with default configurations where users have standard privileges. Requires attacker to have local authenticated access.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains full SYSTEM privileges, enabling complete system compromise, data theft, malware persistence, and lateral movement across the network.

🟠

Likely Case

Local privilege escalation from standard user to SYSTEM, allowing installation of malware, credential harvesting, and bypassing security controls.

🟢

If Mitigated

Limited impact due to proper access controls, application whitelisting, and limited user privileges preventing execution of malicious code.

🌐 Internet-Facing: LOW - Requires local authenticated access; not directly exploitable over the internet.

🏢 Internal Only: MEDIUM - Requires authenticated access but could be exploited by malicious insiders or attackers who have gained initial foothold on the network.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authenticated access and ability to execute code. Exploitation involves manipulating Windows Setup cleanup processes.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply the latest Windows security updates from Microsoft's February 2025 Patch Tuesday or later

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21419

Restart Required: Yes

Instructions:

1. Open Windows Update settings. 2. Click 'Check for updates'. 3. Install all available security updates. 4. Restart the system when prompted.

🔧 Temporary Workarounds

Restrict local user privileges

all

Limit standard users' ability to execute arbitrary code and access sensitive system directories

Implement application control policies

all

Use Windows Defender Application Control or AppLocker to restrict execution of unauthorized binaries

🧯 If You Can't Patch

Implement strict least privilege access controls for all user accounts
Deploy endpoint detection and response (EDR) solutions to monitor for privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check Windows version and update status via 'winver' command and Windows Update history

Check Version:

winver

Verify Fix Applied:

Verify the February 2025 or later security updates are installed via Windows Update history

📡 Detection & Monitoring

Log Indicators:

Unusual process creation events with SYSTEM privileges from user accounts
Windows Setup-related process execution anomalies
Security log Event ID 4688 with elevated privileges

Network Indicators:

Lateral movement attempts following local privilege escalation

SIEM Query:

EventID=4688 AND NewProcessName CONTAINS 'cmd.exe' OR 'powershell.exe' AND SubjectUserName NOT IN ('SYSTEM', 'LOCAL SERVICE', 'NETWORK SERVICE') AND TokenElevationType='%%1936'

📊 Metadata

CVE ID: CVE-2025-21419

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CWE: CWE-59

EPSS Score: 0.26% exploit probability (49.2th percentile)

Published: February 11, 2025

Last Updated: February 14, 2025

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21419 Patch,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1507 by Microsoft

Windows 10 1507 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows 11 24h2 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft