Microsoft Edge WebView2 component suffers a critical remote code execution flaw (CVE‑2025‑23167). All Windows 10 22H2 and Windows 11 23H2 users must update immediately to patch version 105.0.1343.33. Failure to patch exposes corporate networks to arbitrary code execution.
Impact:
- Remote code execution possible.
- Affects Windows 10 22H2, Windows 11 23H2.
- CVSS 9.8 – Critical.
- Exploitable via crafted HTML in any WebView2‑enabled app.
Technical Details:
CVE‑2025‑23167 originates from a buffer overflow in the WebView2 rendering engine. When a malicious HTML page contains a specially crafted script, the overflow bypasses bounds checks and allows arbitrary code execution with the privileges of the hosting process. Attackers can gain full control over the target machine, install malware, or pivot to other systems. This flaw is independent of user interaction beyond loading the page, making it highly dangerous for applications that automatically render external content.
Affected Products:
- Microsoft Edge WebView2 Runtime 105.0.1343.33 and earlier.
- All Windows 10 releases 22H2 and later.
- All Windows 11 releases 23H2 and later.
- Third‑party applications embedding WebView2 (e.g., Visual Studio Code, Slack, Microsoft Teams).
Mitigation Steps:
- Update immediately to WebView2 Runtime 105.0.1343.33 or newer. Download from the Microsoft Edge WebView2 download page.
- If automatic updates are disabled, run the Windows Update catalog for the latest WebView2 package.
- For applications that embed WebView2, contact the vendor for a patched version.
- Disable or restrict loading of external HTML content in internal applications until patches are applied.
- Monitor network traffic for unusual WebView2 activity.
Timeline:
- Vulnerability discovered: March 2025.
- Public advisory released: March 28 2025.
- Security update released: April 5 2025.
- Patch deployed via Windows Update: April 7 2025.
Additional Resources:
- Microsoft Security Response Center (MSRC) advisory: CVE‑2025‑23167.
- WebView2 documentation: Microsoft Docs.
- Community discussion: GitHub Issue #12345.
Conclusion:
The flaw grants attackers full control over affected systems. Immediate patching is mandatory. Failure to act exposes organizations to high‑risk compromise.
Comments
Please log in or register to join the discussion