CVE-2025-21385
published 2025-01-09CVE-2025-21385: A Server-Side Request Forgery (SSRF) vulnerability in Microsoft Purview allows an authorized attacker to disclose information over a network.
PriorityP348medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
24.44%
97.6th percentile
A Server-Side Request Forgery (SSRF) vulnerability in Microsoft Purview allows an authorized attacker to disclose information over a network.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | microsoft_purview | — | — |
| msrc | microsoft_purview | — | — |
Detection & IOCsextracted from sources · hover to see the quote
domain.purview.azure.com
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Microsoft Purview Authorized Server-Side Request Forgery (CVE-2025-21385)"; flow:established,to_server; http.method; content:"POST"; http.host; dotprefix; content:".purview.azure.com"; fast_pattern; http.content_type; content:"application/json"; http.request_body; content:"|22|callback|22 3a|"; reference:url,github.com/Pauloxc6/CVE-2025-21385/; reference:cve,2025-21385; classtype:web-application-attack; sid:2060021; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_02_10, cve CVE_2025_21385, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_02_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
|22|callback|22 3a|
- →Exploit requests use HTTP POST method with Content-Type: application/json targeting *.purview.azure.com hosts
- →The SSRF payload contains a 'callback' key in the JSON request body (hex: |22|callback|22 3a|), which is the trigger for the SSRF exploitation
- →Detection requires TLS decryption (SSLDecrypt) as traffic to purview.azure.com is HTTPS; rule metadata specifies tls_state TLSDecrypt and deployment SSLDecrypt
- →MITRE mapping: TA0001 Initial Access / T1190 Exploit Public-Facing Application — treat inbound POST requests with callback payloads to Purview endpoints as exploitation attempts
- ·Microsoft has already fully mitigated this vulnerability server-side; no customer action or patching is required ↗
- ·Exploit has not been publicly disclosed or observed in the wild as of the advisory date ↗
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vendor_msrc8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-q57q-p5mg-4c5w: A Server-Side Request Forgery (SSRF) vulnerability in Microsoft Purview allows an authorized attacker to disclose information over a network
ghsa_unreviewed·2025-01-10
CVE-2025-21385 [HIGH] CWE-918 GHSA-q57q-p5mg-4c5w: A Server-Side Request Forgery (SSRF) vulnerability in Microsoft Purview allows an authorized attacker to disclose information over a network
A Server-Side Request Forgery (SSRF) vulnerability in Microsoft Purview allows an authorized attacker to disclose information over a network.
Microsoft
Microsoft Purview Information Disclosure Vulnerability
vendor_msrc·2025-01-14·CVSS 8.8
CVE-2025-21385 [HIGH] CWE-918 Microsoft Purview Information Disclosure Vulnerability
Microsoft Purview Information Disclosure Vulnerability
Description: A Server-Side Request Forgery (SSRF) vulnerability in Microsoft Purview allows an authorized attacker to disclose information over a network.
FAQ: Why are there no links to an update or instructions with steps that must be taken to protect from this vulnerability?
This vulnerability has already been fully mitigated by Microsoft. There is no action for users of this service to take. The purpose of this CVE is to provide further transparency.
Please see Toward greater transparency: Unveiling Cloud Service CVEs for more information.
Microsoft Purview: Microsoft Purview
Microsoft: Microsoft
Customer Action Required: No
Impact: Information Disclosure
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Rele
Suricata
ET WEB_SPECIFIC_APPS Microsoft Purview Authorized Server-Side Request Forgery (CVE-2025-21385)
suricata·2025-02-10·CVSS 8.8
CVE-2025-21385 [HIGH] ET WEB_SPECIFIC_APPS Microsoft Purview Authorized Server-Side Request Forgery (CVE-2025-21385)
ET WEB_SPECIFIC_APPS Microsoft Purview Authorized Server-Side Request Forgery (CVE-2025-21385)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Microsoft Purview Authorized Server-Side Request Forgery (CVE-2025-21385)"; flow:established,to_server; http.method; content:"POST"; http.host; dotprefix; content:".purview.azure.com"; fast_pattern; http.content_type; content:"application/json"; http.request_body; content:"|22|callback|22 3a|"; reference:url,github.com/Pauloxc6/CVE-2025-21385/; reference:cve,2025-21385; classtype:web-application-attack; sid:2060021; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_02_10, cve CVE_2025_21385, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity
No public exploits indexed.
Bleepingcomputer
Microsoft January 2025 Patch Tuesday fixes 8 zero-days, 159 flaws
blogs_bleepingcomputer·2025-01-14·CVSS 7.8
[HIGH] Microsoft January 2025 Patch Tuesday fixes 8 zero-days, 159 flaws
## Microsoft January 2025 Patch Tuesday fixes 8 zero-days, 159 flaws
## Lawrence Abrams
40 Elevation of Privilege Vulnerabilities
14 Security Feature Bypass Vulnerabilities
58 Remote Code Execution Vulnerabilities
24 Information Disclosure Vulnerabilities
20 Denial of Service Vulnerabilities
5 Spoofing Vulnerabilities
To learn more about the non-security updates released today, you can review our dedicated articles on the Windows 11 KB5050009 & KB5050021 cumulative updates and the Windows 10 KB5048652 cumulative update.
## Three actively exploited zero-day disclosed
This month's Patch Tuesday fixes three actively exploited and five publicly exposed zero-day vulnerabilities.
Microsoft classifies a zero-day flaw as one that is publicly disclosed or actively exploited while no offi
Talos
Microsoft Patch Tuesday for January 2025 — Snort rules and prominent vulnerabilities
blogs_talos·2025-01-14·CVSS 8.1
CVE-2025-21309 [HIGH] Microsoft Patch Tuesday for January 2025 — Snort rules and prominent vulnerabilities
## Microsoft Patch Tuesday for January 2025 — Snort rules and prominent vulnerabilities
Microsoft has released its monthly security update for January of 2025 which includes 159 vulnerabilities, including 12 that Microsoft marked as “critical.” The remaining vulnerabilities listed are classified as “important.”
One notable critically rated vulnerability that has been patched this month is CVE-2025-21309 , which is a remote code execution vulnerability affecting Windows Remote Desktop Services. Exploitation of this vulnerability could lead to arbitrary code execution on systems where the Remote Desktop Gateway role has been enabled. This vulnerability has been assigned a CVSS 3.1 score of 8.1 and is considered “more likely to be exploited” by Microsoft.
Another notable remote code execut
Talos
Microsoft Patch Tuesday for January 2025 — Snort rules and prominent vulnerabilities
blogs_talos·2025-01-14·CVSS 8.1
CVE-2025-21309 [HIGH] Microsoft Patch Tuesday for January 2025 — Snort rules and prominent vulnerabilities
Microsoft has released its monthly security update for January of 2025 which includes 159 vulnerabilities, including 12 that Microsoft marked as “critical.” The remaining vulnerabilities listed are classified as “important.”
One notable critically rated vulnerability that has been patched this month is CVE-2025-21309, which is a remote code execution vulnerability affecting Windows Remote Desktop Services. Exploitation of this vulnerability could lead to arbitrary code execution on systems where the Remote Desktop Gateway role has been enabled. This vulnerability has been assigned a CVSS 3.1 score of 8.1 and is considered “more likely to be exploited” by Microsoft.
Another notable remote code execution vulnerability in Window Object Linking and Embedding (OLE) was also patched this month
2025-01-09
Published