Microsoft Edge < 132.0.2957.140 — RCE
Four Edge-specific CVEs (beyond the Chromium fixes Edge inherits) addressing remote code execution and spoofing in Microsoft Edge's Chromium-based stable channel during January 2025. Update Edge to 132.0.2957.140 or later.
For the RCE items, an attacker who lures a user to a crafted web page (or who can poison a page the user already trusts) can achieve code execution under the account running Edge. On a Windows Server jump host where an administrator browses to internal management consoles, this becomes lateral-movement-equivalent code execution. The spoofing item enables attacker-controlled UI to be drawn over legitimate Edge chrome — useful for credential-phishing pages that mimic real Entra ID sign-in flows.
Microsoft Edge inherits every Chromium fix Chrome receives, but additionally ships Edge-only code (the sidebar, integrated copilot surfaces, enterprise-mode shim, the legacy IE-mode plumbing on Windows Server, and the MSA / Entra ID sign-in flow). MSRC tracks the Edge-only bugs separately. The January 2025 bundle covered four such CVEs: CVE-2025-21279 and CVE-2025-21283 are remote-code-execution flaws reachable through Edge's Chromium-specific extensions and integrations; CVE-2025-21342 is a remote-code-execution flaw rated Important by Microsoft; CVE-2025-21408 is a remote-code-execution / spoofing flaw in the Chromium stack as integrated by Edge.
Probably yes if any of these apply:
Affected OS versions
Microsoft shipped Edge 132.0.2957.140 on January 30, 2025, rolling up the Chromium CVE-2025-0762 patch together with these four Edge-specific items. MSRC published each CVE under its standard update-guide format with severity "Important". GovCERT.HK and Singapore's CSA both issued tracking advisories the following week. No in-the-wild exploitation is known. Edge auto-updates on most managed estates via Microsoft's Edge Update service or via WSUS / Intune; the gap that needs human attention is fleet inventory of unmanaged or pinned Edge builds — particularly RDS / Citrix gold images and air-gapped management environments where auto-update is disabled.
Manual remediation steps
⏱ 10 minutes per host (Edge relaunch only)Check current Edge version
$edgePath = "${env:ProgramFiles(x86)}\Microsoft\Edge\Application\msedge.exe"
if (-not (Test-Path $edgePath)) {
$edgePath = "$env:ProgramFiles\Microsoft\Edge\Application\msedge.exe"
}
if (Test-Path $edgePath) {
(Get-Item $edgePath).VersionInfo.ProductVersion
}
# Vulnerable if older than 132.0.2957.140
Update Edge
# Option 1 — force the Edge Update service to check immediately:
$edgeUpdate = "${env:ProgramFiles(x86)}\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"
if (Test-Path $edgeUpdate) { & $edgeUpdate /ua /installsource scheduler }
# Option 2 — winget on Windows 10/11 / Server 2025:
winget upgrade Microsoft.Edge --silent
# Option 3 — open edge://settings/help in Edge and click Restart to apply.
Enterprise deployment
UpdateDefault and Update{...} Edge Update policy to "Always allow updates" so the next online window picks up the fix.Verify
(Get-Item "${env:ProgramFiles(x86)}\Microsoft\Edge\Application\msedge.exe").VersionInfo.ProductVersion
# Must show 132.0.2957.140 or later.
No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.
References