{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-64676", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2025-11-06T23:40:37.277Z", "datePublished": "2025-12-18T22:02:07.323Z", "dateUpdated": "2026-04-16T14:19:05.887Z"}, "containers": {"cna": {"title": "Microsoft Purview eDiscovery Remote Code Execution Vulnerability", "datePublic": "2025-12-18T08:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:office_purview:*:*:*:*:*:*:*:*", "versionStartIncluding": "-"}]}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft Purview", "versions": [{"version": "-", "status": "affected"}]}], "descriptions": [{"value": "'.../...//' in Microsoft Purview allows an authorized attacker to execute code over a network.", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-35: Path Traversal: '.../...//'", "lang": "en-US", "type": "CWE", "cweId": "CWE-35"}, {"description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "lang": "en-US", "type": "CWE", "cweId": "CWE-94"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-04-16T14:19:05.887Z"}, "references": [{"name": "Microsoft Purview eDiscovery Remote Code Execution Vulnerability", "tags": ["vendor-advisory", "patch"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-64676"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C"}}], "tags": ["exclusively-hosted-service"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-64676", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-12-20T04:56:29.927339Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T16:07:25.910Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-64676", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-12-19T15:11:13.934071Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-19T15:11:19.218Z"}}], "cna": {"tags": ["exclusively-hosted-service"], "title": "Microsoft Purview eDiscovery Remote Code Execution Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft Purview", "versions": [{"status": "affected", "version": "-"}]}], "datePublic": "2025-12-18T08:00:00.000Z", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-64676", "name": "Microsoft Purview eDiscovery Remote Code Execution Vulnerability", "tags": ["vendor-advisory", "patch"]}], "descriptions": [{"lang": "en-US", "value": "'.../...//' in Microsoft Purview allows an authorized attacker to execute code over a network."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-35", "description": "CWE-35: Path Traversal: '.../...//'"}, {"lang": "en-US", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:office_purview:*:*:*:*:*:*:*:*", "vulnerable": true, "versionStartIncluding": "-"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-02-20T15:59:42.469Z"}}}, "cveMetadata": {"cveId": "CVE-2025-64676", "state": "PUBLISHED", "dateUpdated": "2026-02-20T15:59:42.469Z", "dateReserved": "2025-11-06T23:40:37.277Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2025-12-18T22:02:07.323Z", "assignerShortName": "microsoft"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:purview:-:*:*:*:*:*:*:*", "matchCriteriaId": "7387D350-6697-4865-BF5B-1D36F1B1A8DF", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "secure@microsoft.com", "tags": ["exclusively-hosted-service"]}], "descriptions": [{"lang": "en", "value": "'.../...//' in Microsoft Purview allows an authorized attacker to execute code over a network."}], "id": "CVE-2025-64676", "lastModified": "2026-02-10T20:16:52.253", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "secure@microsoft.com", "type": "Secondary"}]}, "published": "2025-12-18T22:16:00.910", "references": [{"source": "secure@microsoft.com", "tags": ["Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-64676"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-35"}, {"lang": "en", "value": "CWE-94"}], "source": "secure@microsoft.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T15:37:54.372399+00:00", "value": {"mitigation_remediation": ["Apply any available Microsoft Purview patch or update when it is released by Microsoft.", "Restrict Purview user permissions, ensuring only roles that truly require elevated privileges can access the vulnerable functionality.", "Continuously monitor Purview logs and network activity for suspicious code execution or abnormal API usage patterns."], "summary": {"action": "Assess Impact", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Microsoft Purview is affected; no specific version information is provided, so all instances of Microsoft Purview that have not applied downstream security updates could be vulnerable.", "description_and_impact": "The vulnerability allows an authorized attacker to execute arbitrary code by using a specially crafted payload that exploits a flaw in Microsoft Purview. This capability enables the attacker to run code on the Purview service, compromising confidentiality, integrity, and availability of the data stored and processed by the service. The weakness is identified as CWE-35 (XSS) and CWE-94 (Code Injection).", "risk_and_exploitability": "The CVSS score of 7.2 indicates a moderate to high severity risk, while the EPSS score of less than 1% suggests a low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Because the attacker must be an authorized user of Purview, the threat is primarily an internal or privileged actor scenario; no publicly available exploit was reported in the CVE description."}}}}, "created": "2026-04-20T15:45:10.379744+00:00", "updated": "2026-04-20T15:45:10.379754+00:00", "vendors": []}