#VU102644 Improper Resolution of Path Equivalence in Microsoft products - CVE-2025-21189
Vulnerability identifier: #VU102644
Vulnerability risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID:
CWE-ID:
CWE-41
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Microsoft Internet Explorer
Client/Desktop applications /
Web browsers
Windows
Operating systems & Components /
Operating system
Windows Server
Operating systems & Components /
Operating system
Vendor: Microsoft
Description
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to improper resolution of path equivalence in MapUrlToZone security feature. A remote attacker can trick the victim into opening a specially crafted file and gain access to sensitive information.Mitigation
Install updates from vendor's website.
Vulnerable software versions
Microsoft Internet Explorer: 11 - 11.1790.17763.0
Windows: before 10 21H2, 10 22H2, 10 1507, 10 1607, 10 1809, 11 22H2, 11 23H2, 11 24H2, 10 21H2, 10 21H2, 10 21H2, 10 21H2, 10 21H2, 10 21H2, 10 21H2, 10 21H2
Windows Server: before 2008 R2, 2008, 2012 R2, 2012, 2016, 2022 23H2, 2022, 2008 R2, 2008 R2, 2008 R2, 2008 R2
External links
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2025-21189
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
