HIGHCVE-2025-21187CVSS 7.8

CVE-2025-21187: RCE in Power Automate for Desktop

Platform

windows

Component

power-automate-for-desktop

Fixed in

2.52.62.25009

AI Confidence: highNVDEPSS 0.5%Reviewed: May 2026

View on NVD

Save

CVE-2025-21187 is a Remote Code Execution (RCE) vulnerability affecting Microsoft Power Automate for Desktop. This vulnerability allows an attacker to execute arbitrary code on a victim's system, potentially leading to complete system compromise. The vulnerability impacts versions 1.0.0.0 through 2.52.62.25009, and a fix is available in version 2.52.62.25009.

Impact and Attack Scenarios

Successful exploitation of CVE-2025-21187 allows an attacker to execute arbitrary code within the context of the Power Automate for Desktop process. This could involve downloading and executing malicious payloads, installing malware, or gaining persistent access to the system. The attacker could potentially steal sensitive data, modify system configurations, or even pivot to other systems on the network. Given Power Automate for Desktop's automation capabilities, an attacker could leverage this vulnerability to automate malicious actions across multiple endpoints, significantly expanding the blast radius.

Exploitation Context

CVE-2025-21187 was publicly disclosed on January 14, 2025. Exploitation context and probability are currently assessed as medium, pending the release of public proof-of-concept exploits. It is not currently listed on the CISA KEV catalog. Monitor security advisories and threat intelligence feeds for updates on exploitation activity.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureLow

EPSS

0.46% (64% percentile)

CISA SSVC

Exploitationnone

Automatableno

Technical Impacttotal

CVSS Vector

Affected Software

Componentpower-automate-for-desktop

VendorMicrosoft

Affected rangeFixed in

1.0.0.0 – 2.52.62.250092.52.62.25009

Weakness Classification (CWE)

CWE-94

Timeline

Reserved2024-12-05
Published2025-01-14
Modified2026-02-26
EPSS updated2026-04-02

Mitigation and Workarounds

The primary mitigation for CVE-2025-21187 is to upgrade to Power Automate for Desktop version 2.52.62.25009 or later. If upgrading immediately is not feasible, consider restricting network access to Power Automate for Desktop processes and carefully reviewing any unattended automation flows for suspicious activity. Implement application control policies to prevent the execution of unauthorized code. After upgrading, confirm the fix by attempting to trigger the vulnerable functionality and verifying that code execution is prevented.

How to fix

Actualice Microsoft Power Automate for Desktop a la versión 2.52.62.25009 o posterior. Esto solucionará la vulnerabilidad de ejecución remota de código.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-21187 — RCE in Power Automate for Desktop?

CVE-2025-21187 is a Remote Code Execution vulnerability in Microsoft Power Automate for Desktop allowing attackers to execute arbitrary code. It has a HIGH severity rating and affects versions 1.0.0.0–2.52.62.25009.

Am I affected by CVE-2025-21187 in Power Automate for Desktop?

You are affected if you are using Power Automate for Desktop versions 1.0.0.0 through 2.52.62.25009. Check your installed version and upgrade if necessary.

How do I fix CVE-2025-21187 in Power Automate for Desktop?

Upgrade to Power Automate for Desktop version 2.52.62.25009 or later to remediate the vulnerability. Consider restricting network access and reviewing automation flows as interim measures.

Is CVE-2025-21187 being actively exploited?

Exploitation activity is currently being monitored, and the probability is assessed as medium. Stay informed about security advisories and threat intelligence updates.

Where can I find the official Microsoft advisory for CVE-2025-21187?

Refer to the official Microsoft security advisory for CVE-2025-21187 on the Microsoft Security Response Center website.

NextGuard

Vulnerabilities

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Search CVEs

What do these metrics mean?

Attack Vector: Local — attacker needs a local shell or interactive session on the system.
Attack Complexity: Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required: None — unauthenticated. No login or credentials needed to exploit.
User Interaction: Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope: Unchanged — impact is limited to the vulnerable component itself.
Confidentiality: High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity: High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability: High — complete crash or resource exhaustion. Full denial of service.