CVE-2025-21262: Microsoft Edge (Chromium-based) Spoofing Vulnerability

Overview

Severity

Medium (CVSS 5.4)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C

Category

Edge - Chromium

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2025-Jan

Released

2025-01-24

EPSS Score

0.20% (percentile: 41.5%)

Description

User Interface (UI) Misrepresentation of Critical Information in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network

FAQ

According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L), and integrity (I:L) but lead to no loss of availability (A:N). What is the impact of this vulnerability? An attacker is only able to compromise files that they were allowed access to as part of their initial privilege but cannot affect the availability of the browser. What is the version information for this release? Microsoft Edge Version Date Released Based on Chromium Version 132.0.2957.127 1/24/2025 132.0.6834.111 According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it.

Affected Products (1)

Browser

• Microsoft Edge (Chromium-based)

Acknowledgments

<a href="https://www.linkedin.com/in/sazzad-mahmud-tomal-4422b0236">Sazzad Mahmud Tomal</a>

Revision History

• 2025-01-24: Information published.