CVE-2025-47160 Overview
CVE-2025-47160 is a protection mechanism failure in Windows Shell that allows an unauthorized attacker to bypass a security feature over a network. The vulnerability is classified under [CWE-693] (Protection Mechanism Failure) and affects a broad range of supported Microsoft Windows client and server editions. Successful exploitation requires user interaction, such as opening a crafted file or link delivered by the attacker. Microsoft addressed the issue as part of its June 2025 security update cycle.
Critical Impact
An attacker who convinces a user to interact with malicious content can bypass a Windows Shell security control, undermining a defense-in-depth boundary and enabling follow-on execution of untrusted code.
Affected Products
- Microsoft Windows 10 (versions 1507, 1607, 1809, 21H2, 22H2)
- Microsoft Windows 11 (versions 22H2, 23H2, 24H2)
- Microsoft Windows Server 2012, 2012 R2, 2016, 2019, 2022, 2022 23H2, and 2025
Discovery Timeline
- 2025-06-10 - CVE-2025-47160 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-47160
Vulnerability Analysis
The flaw resides in Windows Shell, the component responsible for handling file associations, shortcuts, and container prompts used to warn users before executing untrusted content. A protection mechanism failure means a security check that should have triggered fails to enforce its policy, allowing content that would normally be blocked or flagged to proceed. Because the attack vector is network-based, the malicious payload can be delivered through file shares, phishing attachments, or web-hosted links. The confidentiality, integrity, and availability impact is limited, consistent with a security feature bypass rather than direct code execution.
Root Cause
The root cause is an implementation defect in the Windows Shell protection logic that fails to correctly evaluate or apply a security control (CWE-693). Rather than validating input or enforcing memory safety, the affected code path incorrectly permits content that should be blocked, likely by mishandling metadata such as Mark-of-the-Web or trust attributes that Windows Shell uses to gate execution. Microsoft has not published low-level implementation details in its advisory.
Attack Vector
Exploitation requires the attacker to deliver a crafted file, shortcut, or link over a network channel and convince a target user to open it. Because privileges required are none but user interaction is required, common delivery methods include spearphishing attachments, drive-by downloads from attacker-controlled sites, and SMB or WebDAV shares. Once the security feature is bypassed, the attacker can chain the flaw with additional payloads to execute code the user would otherwise have been warned about.
No verified public proof-of-concept exploit is available at the time of writing, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. EPSS data places the likelihood of near-term exploitation in the mid range relative to other published CVEs.
Detection Methods for CVE-2025-47160
Indicators of Compromise
- Unexpected execution of scripts, .lnk files, or installers originating from downloads, email attachments, or remote SMB and WebDAV paths without a SmartScreen or Mark-of-the-Web prompt.
- Files written to user profile directories that lack the Zone.Identifier alternate data stream despite arriving from an external source.
- explorer.exe spawning uncommon child processes such as powershell.exe, mshta.exe, wscript.exe, or rundll32.exe shortly after a user opens externally sourced content.
Detection Strategies
- Alert on explorer.exe process trees where the parent chain includes browser, mail client, or archive utility processes and the child performs network or scripting activity.
- Hunt for creation of shortcut files (.lnk, .url) referencing UNC paths, WebDAV endpoints, or unusual command-line arguments.
- Correlate email gateway and proxy telemetry with endpoint file-write events to identify content that reached disk without expected zone identifiers.
Monitoring Recommendations
- Ingest Windows Sysmon, PowerShell, and audit logs into a central data lake to enable cross-host hunting for shell-launched anomalies.
- Track Microsoft Defender SmartScreen and Mark-of-the-Web telemetry for suppression or absence on files delivered from network locations.
- Review authenticated SMB and WebDAV access patterns for unusual outbound connections from user endpoints.
Security teams using Singularity Endpoint can leverage behavioral AI to flag anomalous explorer.exe child-process chains, and Singularity Data Lake supports OCSF-normalized queries across endpoint, email, and network telemetry to accelerate this hunt.
How to Mitigate CVE-2025-47160
Immediate Actions Required
- Apply the June 2025 Microsoft security updates for all affected Windows client and server SKUs listed in the advisory.
- Prioritize patching for internet-facing workstations, jump hosts, and systems used by high-risk user populations such as executives and IT administrators.
- Reinforce user awareness guidance on opening files from unknown senders, unfamiliar shares, and untrusted web sources.
Patch Information
Microsoft has released fixes through its regular Patch Tuesday channel. Refer to the Microsoft Security Update Guide for CVE-2025-47160 for the specific KB articles that apply to each affected Windows and Windows Server version, and deploy them via Windows Update, WSUS, Intune, or Configuration Manager.
Workarounds
- Block inbound SMB and WebDAV traffic from untrusted networks at the perimeter and disable outbound SMB where operationally feasible.
- Enforce Attack Surface Reduction rules that limit script and executable launches from Office, mail, and browser child processes.
- Ensure Mark-of-the-Web propagation is enabled for archive utilities and that SmartScreen is turned on for Explorer and Edge.
# Example: enforce Microsoft Defender ASR rules via PowerShell
Set-MpPreference -AttackSurfaceReductionRules_Ids `
D4F940AB-401B-4EFC-AADC-AD5F3C50688A, `
3B576869-A4EC-4529-8536-B80A7769E899, `
D3E037E1-3EB8-44C8-A917-57927947596D `
-AttackSurfaceReductionRules_Actions Enabled,Enabled,Enabled
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

