Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-59185

CVE-2025-59185: Windows 10 1507 Path Traversal Flaw

CVE-2025-59185 is a path traversal vulnerability in Windows 10 1507 Core Shell that enables attackers to exploit file name controls for network-based spoofing attacks. This article covers technical details, impact, and mitigation.

Published:

CVE-2025-59185 Overview

CVE-2025-59185 is a spoofing vulnerability in the Windows Core Shell caused by external control of file name or path [CWE-73]. An unauthorized attacker can leverage this flaw over a network to trick users into interacting with attacker-controlled resources that appear legitimate. Exploitation requires user interaction, such as opening a crafted file or link. Microsoft published the advisory on October 14, 2025, and the issue affects a wide range of Windows client and server releases, from Windows 10 1507 through Windows 11 25H2 and Windows Server 2012 through Windows Server 2025. The vulnerability carries a CVSS 3.1 base score of 6.5 and impacts confidentiality without affecting integrity or availability.

Critical Impact

A remote attacker can perform spoofing against Windows users by manipulating file names or paths handled by the Core Shell, potentially exposing sensitive information when the target opens the crafted content.

Affected Products

  • Microsoft Windows 10 (1507, 1607, 1809, 21H2, 22H2)
  • Microsoft Windows 11 (22H2, 23H2, 24H2, 25H2)
  • Microsoft Windows Server 2012 R2, 2016, 2019, 2022, 2022 23H2, and 2025

Discovery Timeline

  • 2025-10-14 - CVE-2025-59185 assigned and Microsoft releases security update
  • 2025-10-14 - CVE-2025-59185 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-59185

Vulnerability Analysis

The vulnerability resides in the Windows Core Shell, the component responsible for rendering and handling shell items such as file paths, shortcuts, and URI references. Because the shell trusts externally supplied file name or path input without adequate validation, an attacker can craft content that misrepresents the true target of a shell operation. When a user opens or previews such content, the shell renders attacker-chosen strings, enabling spoofing of the source, origin, or type of a resource. The confidentiality impact stems from users being deceived into disclosing information to attacker-controlled destinations.

Root Cause

The root cause is classified under [CWE-73]: External Control of File Name or Path. The Core Shell accepts path or filename data from untrusted sources and uses it in display or resolution logic without sufficient canonicalization. This allows crafted values, such as misleading extensions, embedded control characters, or manipulated path segments, to alter what the user perceives versus what the shell actually processes.

Attack Vector

Exploitation occurs over the network and requires user interaction. A typical scenario involves an attacker delivering a crafted file, shortcut, or link through email, a compromised website, or a network share. When the target opens the item in Windows Explorer or another Core Shell surface, the spoofed metadata is displayed, leading the user to trust and act on the content. No privileges are required on the target system prior to exploitation.

No public proof-of-concept code has been released for CVE-2025-59185 at the time of writing. Refer to the Microsoft Security Update CVE-2025-59185 advisory for vendor technical detail.

Detection Methods for CVE-2025-59185

Indicators of Compromise

  • Files or shortcuts with mismatched displayed extensions and actual file types delivered via email or network shares.
  • Shell items referencing remote UNC paths or WebDAV endpoints that resolve to attacker-controlled infrastructure.
  • User reports of prompts or dialogs showing unexpected file origins or names after opening received content.

Detection Strategies

  • Inspect endpoint telemetry for explorer.exe opening files from untrusted network locations shortly after email or browser activity.
  • Correlate shell item execution with outbound SMB, WebDAV, or HTTP traffic to external hosts.
  • Hunt for shortcut (.lnk) and URL files created in user directories that reference remote paths with obfuscated or double extensions.

Monitoring Recommendations

  • Enable Microsoft Defender or equivalent EDR telemetry for shell activation events and process launches originating from Explorer.
  • Log and alert on outbound SMB and WebDAV connections from user workstations to non-corporate destinations.
  • Baseline normal file-open activity for high-risk users and flag anomalous access to remote paths.

How to Mitigate CVE-2025-59185

Immediate Actions Required

  • Apply the Microsoft October 2025 security updates addressing CVE-2025-59185 across all affected Windows client and server builds.
  • Prioritize patching of internet-facing terminal servers, jump hosts, and privileged administrator workstations.
  • Reinforce user awareness regarding suspicious attachments, shortcuts, and links delivered from external sources.

Patch Information

Microsoft has released fixes through the standard Windows Update channel. Consult the Microsoft Security Update CVE-2025-59185 advisory for the specific KB numbers per operating system build and deploy them through Windows Update, WSUS, or Microsoft Intune.

Workarounds

  • Block outbound SMB (TCP 445) and WebDAV traffic to the public internet at the perimeter to reduce remote path exploitation.
  • Configure email gateways to strip or quarantine .lnk, .url, and other shell-handled shortcut file types from external senders.
  • Enforce Mark-of-the-Web enforcement and Protected View policies so that files from untrusted zones require explicit user acknowledgement.
bash
# Configuration example: block outbound SMB to the internet via Windows Firewall
New-NetFirewallRule -DisplayName "Block Outbound SMB to Internet" `
  -Direction Outbound `
  -Protocol TCP `
  -RemotePort 445 `
  -RemoteAddress Internet `
  -Action Block

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.