Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-58739

CVE-2025-58739: Windows 10 Information Disclosure Flaw

CVE-2025-58739 is an information disclosure vulnerability in Windows 10 1507 File Explorer that exposes sensitive data to unauthorized actors, enabling spoofing attacks. This article covers technical details and mitigation.

Published:

CVE-2025-58739 Overview

CVE-2025-58739 is an information disclosure vulnerability in Windows File Explorer that allows an unauthenticated attacker to perform spoofing over a network. The flaw stems from exposure of sensitive information to an unauthorized actor [CWE-200]. Microsoft published the advisory on October 14, 2025, covering a broad range of supported Windows client and server releases.

Exploitation requires user interaction, such as opening a crafted file or navigating to an attacker-controlled resource through File Explorer. Once triggered, the disclosed data can be reused by the attacker to impersonate a trusted identity on the network.

Critical Impact

An unauthenticated remote attacker who convinces a user to interact with a crafted resource can obtain sensitive information from File Explorer and use it to spoof identities across the network.

Affected Products

  • Microsoft Windows 10 (versions 1507, 1607, 1809, 21H2, 22H2)
  • Microsoft Windows 11 (versions 22H2, 23H2, 24H2, 25H2)
  • Microsoft Windows Server 2008, 2012, 2016, 2019, 2022, 2022 23H2, and 2025

Discovery Timeline

  • 2025-10-14 - CVE-2025-58739 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-58739

Vulnerability Analysis

CVE-2025-58739 is classified under [CWE-200] as an exposure of sensitive information to an unauthorized actor. Windows File Explorer leaks data that should remain protected when a user interacts with a crafted file, shortcut, or path. The attack is network-reachable and does not require prior authentication, but it does require the victim to perform an action such as browsing or opening a resource.

The disclosed information supports a spoofing outcome rather than direct code execution or data modification. In practical terms, this class of File Explorer flaw has historically leaked authentication material such as NTLM hashes or account context, which an attacker can relay or crack to impersonate the victim against network services.

The EPSS score is 0.746% (50th percentile), indicating a moderate likelihood of exploitation activity being observed relative to other published CVEs. Microsoft's advisory covers every supported branch of Windows and Windows Server, indicating the affected component is shared across the OS family.

Root Cause

The root cause is File Explorer processing a network-supplied resource in a way that exposes sensitive information to the requesting party. Because File Explorer resolves paths, icons, thumbnails, and metadata automatically, a crafted reference can coerce the Explorer process into contacting an attacker-controlled endpoint and disclosing identifying data during that interaction.

Attack Vector

The attacker delivers a crafted file, shortcut, archive, or link that a user opens or previews in File Explorer. When File Explorer processes the item, it emits information the attacker captures on their controlled endpoint. The captured data enables spoofing against systems that trust the victim's identity, for example through relay attacks or replay of leaked credentials.

No verified public proof-of-concept is available at the time of publication. Refer to the Microsoft Vulnerability Advisory CVE-2025-58739 for vendor-specific technical details.

Detection Methods for CVE-2025-58739

Indicators of Compromise

  • Outbound SMB, WebDAV, or HTTP connections from explorer.exe to untrusted external hosts shortly after a user opens an email attachment or shared link.
  • Unexpected NTLM authentication attempts originating from user endpoints to internet-facing or unfamiliar internal hosts.
  • Delivery of .lnk, .url, .library-ms, .search-ms, or archive files from external sources that reference remote UNC paths.

Detection Strategies

  • Alert on explorer.exe initiating network connections to non-corporate IP ranges, particularly on ports 445, 139, and 80/443 for WebDAV.
  • Correlate File Explorer file-open events with subsequent outbound authentication attempts to detect coerced authentication patterns.
  • Inspect email and web gateway logs for delivery of shortcut and library files that embed remote references.

Monitoring Recommendations

  • Enable NTLM auditing (Event IDs 8001-8004) on endpoints and domain controllers to surface outbound NTLM to unexpected destinations.
  • Monitor Sysmon Event ID 3 (network connect) filtered on explorer.exe for connections leaving trusted network boundaries.
  • Track creation of shortcut and library files in user download and temp directories using file integrity monitoring.

How to Mitigate CVE-2025-58739

Immediate Actions Required

  • Apply the October 2025 Microsoft security updates referenced in the Microsoft Vulnerability Advisory CVE-2025-58739 to all Windows client and server systems.
  • Block outbound SMB (TCP 445) and WebDAV traffic to the public internet at the perimeter firewall.
  • Restrict NTLM authentication to external destinations using Group Policy Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers.

Patch Information

Microsoft published the patch guidance for CVE-2025-58739 on October 14, 2025. Administrators should consult the Microsoft Vulnerability Advisory CVE-2025-58739 for the specific KB article and cumulative update that applies to each affected Windows build. Deploy the updates through Windows Update, WSUS, or Microsoft Intune.

Workarounds

  • Enforce SMB signing and Extended Protection for Authentication to reduce the impact of relayed credentials disclosed by File Explorer.
  • Disable automatic thumbnail and preview generation for files from untrusted zones through Group Policy.
  • Use Mark-of-the-Web enforcement and Attack Surface Reduction rules to block execution and preview of files delivered from the internet.
bash
# Configuration example: restrict outgoing NTLM and enforce SMB signing via PowerShell
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0' \
  -Name 'RestrictSendingNTLMTraffic' -Type DWord -Value 2

Set-SmbClientConfiguration -RequireSecuritySignature $true -Confirm:$false
Set-SmbServerConfiguration -RequireSecuritySignature $true -Confirm:$false

# Block outbound SMB to the internet
New-NetFirewallRule -DisplayName 'Block Outbound SMB to Internet' \
  -Direction Outbound -Protocol TCP -RemotePort 445 \
  -RemoteAddress Internet -Action Block

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.