CVE-2025-59185 Overview
CVE-2025-59185 is a spoofing vulnerability in the Windows Core Shell caused by external control of file name or path [CWE-73]. An unauthorized attacker can leverage this flaw over a network to trick users into interacting with attacker-controlled resources that appear legitimate. Exploitation requires user interaction, such as opening a crafted file or link. Microsoft published the advisory on October 14, 2025, and the issue affects a wide range of Windows client and server releases, from Windows 10 1507 through Windows 11 25H2 and Windows Server 2012 through Windows Server 2025. The vulnerability carries a CVSS 3.1 base score of 6.5 and impacts confidentiality without affecting integrity or availability.
Critical Impact
A remote attacker can perform spoofing against Windows users by manipulating file names or paths handled by the Core Shell, potentially exposing sensitive information when the target opens the crafted content.
Affected Products
- Microsoft Windows 10 (1507, 1607, 1809, 21H2, 22H2)
- Microsoft Windows 11 (22H2, 23H2, 24H2, 25H2)
- Microsoft Windows Server 2012 R2, 2016, 2019, 2022, 2022 23H2, and 2025
Discovery Timeline
- 2025-10-14 - CVE-2025-59185 assigned and Microsoft releases security update
- 2025-10-14 - CVE-2025-59185 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-59185
Vulnerability Analysis
The vulnerability resides in the Windows Core Shell, the component responsible for rendering and handling shell items such as file paths, shortcuts, and URI references. Because the shell trusts externally supplied file name or path input without adequate validation, an attacker can craft content that misrepresents the true target of a shell operation. When a user opens or previews such content, the shell renders attacker-chosen strings, enabling spoofing of the source, origin, or type of a resource. The confidentiality impact stems from users being deceived into disclosing information to attacker-controlled destinations.
Root Cause
The root cause is classified under [CWE-73]: External Control of File Name or Path. The Core Shell accepts path or filename data from untrusted sources and uses it in display or resolution logic without sufficient canonicalization. This allows crafted values, such as misleading extensions, embedded control characters, or manipulated path segments, to alter what the user perceives versus what the shell actually processes.
Attack Vector
Exploitation occurs over the network and requires user interaction. A typical scenario involves an attacker delivering a crafted file, shortcut, or link through email, a compromised website, or a network share. When the target opens the item in Windows Explorer or another Core Shell surface, the spoofed metadata is displayed, leading the user to trust and act on the content. No privileges are required on the target system prior to exploitation.
No public proof-of-concept code has been released for CVE-2025-59185 at the time of writing. Refer to the Microsoft Security Update CVE-2025-59185 advisory for vendor technical detail.
Detection Methods for CVE-2025-59185
Indicators of Compromise
- Files or shortcuts with mismatched displayed extensions and actual file types delivered via email or network shares.
- Shell items referencing remote UNC paths or WebDAV endpoints that resolve to attacker-controlled infrastructure.
- User reports of prompts or dialogs showing unexpected file origins or names after opening received content.
Detection Strategies
- Inspect endpoint telemetry for explorer.exe opening files from untrusted network locations shortly after email or browser activity.
- Correlate shell item execution with outbound SMB, WebDAV, or HTTP traffic to external hosts.
- Hunt for shortcut (.lnk) and URL files created in user directories that reference remote paths with obfuscated or double extensions.
Monitoring Recommendations
- Enable Microsoft Defender or equivalent EDR telemetry for shell activation events and process launches originating from Explorer.
- Log and alert on outbound SMB and WebDAV connections from user workstations to non-corporate destinations.
- Baseline normal file-open activity for high-risk users and flag anomalous access to remote paths.
How to Mitigate CVE-2025-59185
Immediate Actions Required
- Apply the Microsoft October 2025 security updates addressing CVE-2025-59185 across all affected Windows client and server builds.
- Prioritize patching of internet-facing terminal servers, jump hosts, and privileged administrator workstations.
- Reinforce user awareness regarding suspicious attachments, shortcuts, and links delivered from external sources.
Patch Information
Microsoft has released fixes through the standard Windows Update channel. Consult the Microsoft Security Update CVE-2025-59185 advisory for the specific KB numbers per operating system build and deploy them through Windows Update, WSUS, or Microsoft Intune.
Workarounds
- Block outbound SMB (TCP 445) and WebDAV traffic to the public internet at the perimeter to reduce remote path exploitation.
- Configure email gateways to strip or quarantine .lnk, .url, and other shell-handled shortcut file types from external senders.
- Enforce Mark-of-the-Web enforcement and Protected View policies so that files from untrusted zones require explicit user acknowledgement.
# Configuration example: block outbound SMB to the internet via Windows Firewall
New-NetFirewallRule -DisplayName "Block Outbound SMB to Internet" `
-Direction Outbound `
-Protocol TCP `
-RemotePort 445 `
-RemoteAddress Internet `
-Action Block
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

