CVE-2025-21187 is a remote code execution vulnerability identified in Microsoft Power Automate for Desktop version 1.0.0.0. The root cause is improper control over the generation of code, categorized as CWE-94, which allows code injection attacks. This vulnerability enables an attacker to inject and execute arbitrary code within the context of the affected application. The CVSS v3.1 base score is 7.8, indicating high severity. The attack vector is local (AV:L), requiring the attacker to have local access but no privileges (PR:N). User interaction (UI:R) is necessary, meaning the victim must be tricked into performing an action such as opening a malicious file or input. The vulnerability affects confidentiality, integrity, and availability (C:H/I:H/A:H), allowing full system compromise if exploited. The scope is unchanged (S:U), meaning the impact is limited to the vulnerable component. No known exploits have been reported yet, and no patches are currently available, increasing the urgency for defensive measures. This vulnerability is particularly concerning for organizations automating workflows with Power Automate for Desktop, as it could lead to unauthorized code execution and system compromise.

The vulnerability poses a significant risk to organizations using Microsoft Power Automate for Desktop, especially those relying on automation for critical business processes. Successful exploitation could lead to complete system compromise, including unauthorized access to sensitive data, manipulation or destruction of data, and disruption of automated workflows. This could result in operational downtime, data breaches, and potential lateral movement within corporate networks. Since the attack requires local access and user interaction, insider threats or social engineering attacks become viable vectors. The lack of an available patch increases exposure time, potentially allowing attackers to develop exploits. Organizations in sectors such as finance, healthcare, manufacturing, and government, where automation tools are heavily used, face elevated risks. The vulnerability could also be leveraged as a foothold for broader attacks within enterprise environments.

Organizations should immediately implement strict access controls to limit local access to systems running Power Automate for Desktop. User training to recognize and avoid suspicious files or inputs is critical to reduce the risk of social engineering exploitation. Employ application whitelisting and endpoint detection and response (EDR) solutions to monitor and block unauthorized code execution attempts. Disable or restrict Power Automate for Desktop usage where feasible until a patch is released. Regularly audit and monitor automation workflows for anomalies. Network segmentation can limit the impact of a compromised system. Maintain up-to-date backups to enable recovery in case of compromise. Stay alert for official patches or advisories from Microsoft and apply them promptly once available. Consider deploying endpoint privilege management to minimize the ability of attackers to execute code with elevated privileges.