CVE-2025-21268
published 2025-01-14CVE-2025-21268: MapUrlToZone Security Feature Bypass Vulnerability
medium4.3CVSS 3.1
AVNACLPRNUIRSUCLINAN
MapUrlToZone Security Feature Bypass Vulnerability
Affected
47 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_10_1507 | < 10.0.10240.20890 | 10.0.10240.20890 |
| microsoft | windows_10_1607 | < 10.0.14393.7699 | 10.0.14393.7699 |
| microsoft | windows_10_1809 | < 10.0.17763.6775 | 10.0.17763.6775 |
| microsoft | windows_10_21h2 | < 10.0.19044.5371 | 10.0.19044.5371 |
| microsoft | windows_10_22h2 | < 10.0.19045.5371 | 10.0.19045.5371 |
| microsoft | windows_10_version_1507 | >= 10.0.10240.0 < 10.0.10240.20890 | 10.0.10240.20890 |
| microsoft | windows_10_version_1607 | >= 10.0.14393.0 < 10.0.14393.7699 | 10.0.14393.7699 |
| microsoft | windows_10_version_1809 | >= 10.0.17763.0 < 10.0.17763.6775 | 10.0.17763.6775 |
| microsoft | windows_10_version_21h2 | >= 10.0.19044.0 < 10.0.19044.5371 | 10.0.19044.5371 |
| microsoft | windows_10_version_22h2 | >= 10.0.19045.0 < 10.0.19045.5371 | 10.0.19045.5371 |
| microsoft | windows_11_22h2 | < 10.0.22621.4751 | 10.0.22621.4751 |
| microsoft | windows_11_23h2 | < 10.0.22631.4751 | 10.0.22631.4751 |
| microsoft | windows_11_24h2 | < 10.0.26100.2894 | 10.0.26100.2894 |
| microsoft | windows_11_version_22h2 | >= 10.0.22621.0 < 10.0.22621.4751 | 10.0.22621.4751 |
| microsoft | windows_11_version_22h3 | >= 10.0.22631.0 < 10.0.22631.4751 | 10.0.22631.4751 |
| microsoft | windows_11_version_23h2 | >= 10.0.22631.0 < 10.0.22631.4751 | 10.0.22631.4751 |
| microsoft | windows_11_version_24h2 | >= 10.0.26100.0 < 10.0.26100.2894 | 10.0.26100.2894 |
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2008_r2_service_pack_1 | >= 6.1.7601.0 < 6.1.7601.27520 | 6.1.7601.27520 |
| microsoft | windows_server_2008_service_pack_2 | >= 6.0.6003.0 < 6.0.6003.23070 | 6.0.6003.23070 |
| microsoft | windows_server_2012 | — | — |
| microsoft | windows_server_2012 | >= 6.2.9200.0 < 6.2.9200.25273 | 6.2.9200.25273 |
| microsoft | windows_server_2012_r2 | >= 6.3.9600.0 < 6.3.9600.22371 | 6.3.9600.22371 |
| microsoft | windows_server_2016 | < 10.0.14393.7699 | 10.0.14393.7699 |
| microsoft | windows_server_2016 | >= 10.0.14393.0 < 10.0.14393.7699 | 10.0.14393.7699 |
Microsoft
MapUrlToZone Security Feature Bypass Vulnerability
vendor_msrc·2025-01-14·CVSS 4.3
CVE-2025-21268 [MEDIUM] CWE-41 MapUrlToZone Security Feature Bypass Vulnerability
MapUrlToZone Security Feature Bypass Vulnerability
FAQ: According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L),but lead to no loss of availability (A:N) and integrity (I:N)? What does that mean for this vulnerability?
An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality) but not all resources within the impacted component may be divulged to the attacker. The attacker cannot make changes to disclosed information (Integrity) or limit access to the resource (Availability).
FAQ: What kind of security feature could be bypassed by successfully exploiting this vulnerability?
An attacker who successfully exploited the vulnerability could bypass the MapURLToZone method
GHSA
GHSA-vp5q-499v-968r: MapUrlToZone Security Feature Bypass Vulnerability
ghsa_unreviewed·2025-01-14
CVE-2025-21268 [MEDIUM] CWE-41 GHSA-vp5q-499v-968r: MapUrlToZone Security Feature Bypass Vulnerability
MapUrlToZone Security Feature Bypass Vulnerability
No detection rules found.
No public exploits indexed.
Bleepingcomputer
Microsoft January 2025 Patch Tuesday fixes 8 zero-days, 159 flaws
blogs_bleepingcomputer·2025-01-14·CVSS 7.8
[HIGH] Microsoft January 2025 Patch Tuesday fixes 8 zero-days, 159 flaws
## Microsoft January 2025 Patch Tuesday fixes 8 zero-days, 159 flaws
## Lawrence Abrams
40 Elevation of Privilege Vulnerabilities
14 Security Feature Bypass Vulnerabilities
58 Remote Code Execution Vulnerabilities
24 Information Disclosure Vulnerabilities
20 Denial of Service Vulnerabilities
5 Spoofing Vulnerabilities
To learn more about the non-security updates released today, you can review our dedicated articles on the Windows 11 KB5050009 & KB5050021 cumulative updates and the Windows 10 KB5048652 cumulative update.
## Three actively exploited zero-day disclosed
This month's Patch Tuesday fixes three actively exploited and five publicly exposed zero-day vulnerabilities.
Microsoft classifies a zero-day flaw as one that is publicly disclosed or actively exploited while no offi
Qualys
Microsoft and Adobe Patch Tuesday, January 2025 Security Update Review
blogs_qualys·2025-01-14
Microsoft and Adobe Patch Tuesday, January 2025 Security Update Review
## Table of Contents
Microsoft Patch Tuesday for January 2025
Adobe Patches for January 2025
Zero-day Vulnerabilities Patched in January Patch Tuesday Edition
Critical Severity Vulnerabilities Patched in January Patch Tuesday Edition
Other Microsoft Vulnerability Highlights
Microsoft Release Summary
Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
Rapid Response with Patch Management (PM)
EVALUATE Vendor-Suggested Mitigation with Policy Compliance (PC)
Qualys Monthly Webinar Series
Happy New Year! As the calendar turns to January 2025, Microsoft’s first Patch Tuesday of 2025 has arrived. From zero-days to critical vulnerabilities, here’s what deserves your attention. Here’s a breakdown of what’s been patched.
## Microsoft Patch Tu
Talos
Microsoft Patch Tuesday for January 2025 — Snort rules and prominent vulnerabilities
blogs_talos·2025-01-14·CVSS 8.1
CVE-2025-21309 [HIGH] Microsoft Patch Tuesday for January 2025 — Snort rules and prominent vulnerabilities
## Microsoft Patch Tuesday for January 2025 — Snort rules and prominent vulnerabilities
Microsoft has released its monthly security update for January of 2025 which includes 159 vulnerabilities, including 12 that Microsoft marked as “critical.” The remaining vulnerabilities listed are classified as “important.”
One notable critically rated vulnerability that has been patched this month is CVE-2025-21309 , which is a remote code execution vulnerability affecting Windows Remote Desktop Services. Exploitation of this vulnerability could lead to arbitrary code execution on systems where the Remote Desktop Gateway role has been enabled. This vulnerability has been assigned a CVSS 3.1 score of 8.1 and is considered “more likely to be exploited” by Microsoft.
Another notable remote code execut
Qualys
Microsoft and Adobe Patch Tuesday, January 2025 Security Update Review | Qualys
blogs_qualys·2025-01-14
Microsoft and Adobe Patch Tuesday, January 2025 Security Update Review | Qualys
#### Table of Contents
- Microsoft Patch Tuesday for January 2025
- Adobe Patches for January 2025
- Zero-day Vulnerabilities Patched in January Patch Tuesday Edition
- Critical Severity Vulnerabilities Patched in January Patch Tuesday Edition
- Other Microsoft Vulnerability Highlights
- Microsoft Release Summary
- Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
- Rapid Response with Patch Management (PM)
- EVALUATE Vendor-Suggested Mitigation with Policy Compliance (PC)
- Qualys Monthly Webinar Series
Happy New Year! As the calendar turns to January 2025, Microsoft’s first Patch Tuesday of 2025 has arrived. From zero-days to critical vulnerabilities, here’s what deserves your attention. Here’s a breakdown of what’s been patched.
## Micro
Talos
Microsoft Patch Tuesday for January 2025 — Snort rules and prominent vulnerabilities
blogs_talos·2025-01-14·CVSS 8.1
CVE-2025-21309 [HIGH] Microsoft Patch Tuesday for January 2025 — Snort rules and prominent vulnerabilities
Microsoft has released its monthly security update for January of 2025 which includes 159 vulnerabilities, including 12 that Microsoft marked as “critical.” The remaining vulnerabilities listed are classified as “important.”
One notable critically rated vulnerability that has been patched this month is CVE-2025-21309, which is a remote code execution vulnerability affecting Windows Remote Desktop Services. Exploitation of this vulnerability could lead to arbitrary code execution on systems where the Remote Desktop Gateway role has been enabled. This vulnerability has been assigned a CVSS 3.1 score of 8.1 and is considered “more likely to be exploited” by Microsoft.
Another notable remote code execution vulnerability in Window Object Linking and Embedding (OLE) was also patched this month
2025-01-14
Published