Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-59206

CVE-2025-59206: Windows 11 24H2 Privilege Escalation Flaw

CVE-2025-59206 is a privilege escalation vulnerability in Windows 11 24H2 Resilient File System (ReFS) Deduplication Service that allows attackers to gain elevated privileges. This article covers technical details, affected systems, impact, and mitigation strategies.

Published:

CVE-2025-59206 Overview

CVE-2025-59206 is an elevation of privilege vulnerability in the Windows Resilient File System (ReFS) Deduplication Service. The flaw stems from a use-after-free condition [CWE-416] in the service's memory handling. A local, authenticated attacker who wins a timing-sensitive race can execute code in the context of the deduplication service and gain SYSTEM-level privileges. Microsoft rates the issue with a CVSS 3.1 score of 7.4. The vulnerability affects current Windows 11 and Windows Server 2025 builds where the ReFS deduplication feature is available.

Critical Impact

Successful exploitation grants attackers full confidentiality, integrity, and availability compromise of the host through SYSTEM-level code execution on affected Windows 11 and Windows Server 2025 systems.

Affected Products

  • Microsoft Windows 11 version 24H2
  • Microsoft Windows 11 version 25H2
  • Microsoft Windows Server 2025

Discovery Timeline

  • 2025-10-14 - CVE-2025-59206 published to the National Vulnerability Database
  • 2025-10-14 - Microsoft published the security update guide entry for CVE-2025-59206
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-59206

Vulnerability Analysis

The vulnerability resides in the ReFS Deduplication Service, a component that identifies and consolidates duplicate data blocks on ReFS volumes. The service maintains in-memory metadata structures that track chunk references and deduplication state. Improper synchronization between concurrent operations allows a memory object to be freed while another execution path still holds a reference to it. When the dangling pointer is dereferenced, an attacker who controls the freed memory layout can redirect execution. Because the deduplication service runs with elevated privileges, code executed through the dangling reference inherits those privileges. The attack complexity is high because the attacker must reliably win a race window between the free and reuse operations.

Root Cause

The root cause is a use-after-free flaw [CWE-416] in the ReFS Deduplication Service. Object lifetime is not correctly managed across concurrent code paths, leaving stale pointers that can be dereferenced after the underlying allocation has been released. An attacker who grooms the heap and reclaims the freed slot with controlled data can corrupt service state and hijack control flow.

Attack Vector

Exploitation requires local access to the target system. No prior authentication credentials are required by the CVSS metric (PR:N), and no user interaction is needed. The attacker must trigger deduplication-related code paths on a volume that has the feature enabled, then race the service to reclaim freed memory before the dangling pointer is used. Successful exploitation yields code execution in the service context, which results in elevation to SYSTEM.

No public proof-of-concept code was available at the time of writing. Refer to the Microsoft Security Update Guide for CVE-2025-59206 for vendor technical details.

Detection Methods for CVE-2025-59206

Indicators of Compromise

  • Unexpected crashes or restarts of the ReFS Deduplication Service (fsdmhost.exe, ddpsvc, ddpeval.exe) recorded in the Windows Application or System event logs.
  • New processes spawned as NT AUTHORITY\SYSTEM from a parent associated with deduplication or ReFS maintenance jobs.
  • Unusual scheduled task creation or service modifications immediately following deduplication activity on ReFS volumes.

Detection Strategies

  • Hunt for child processes of the deduplication service that are not part of normal maintenance, such as command interpreters or LOLBins launching under the service token.
  • Correlate Windows Error Reporting entries referencing ReFS deduplication binaries with subsequent privilege escalation behavior on the same host.
  • Apply behavioral analytics to detect token manipulation or privilege elevation originating from a local, non-administrative user session.

Monitoring Recommendations

  • Enable Sysmon Event IDs 1, 8, and 10 to capture process creation, remote thread injection, and process access targeting deduplication service binaries.
  • Forward ReFS and storage service event logs to a centralized SIEM and alert on repeated service crashes on ReFS-enabled file servers.
  • Inventory hosts where ReFS volumes with deduplication enabled exist and prioritize them for elevated monitoring until patched.

How to Mitigate CVE-2025-59206

Immediate Actions Required

  • Apply the October 2025 Microsoft security update for CVE-2025-59206 to all Windows 11 24H2, 25H2, and Windows Server 2025 systems.
  • Identify file servers and workstations that use ReFS volumes with deduplication enabled and prioritize them for patching.
  • Restrict local interactive and remote interactive logon rights on affected hosts to reduce the population of users who can stage a local attack.

Patch Information

Microsoft has released security updates that remediate CVE-2025-59206. Patch availability and KB article identifiers are published in the Microsoft Security Update Guide for CVE-2025-59206. Administrators should validate that the cumulative update for the corresponding Windows build has been installed and that the system has rebooted to complete servicing.

Workarounds

  • Where patching cannot be performed immediately, disable the ReFS Deduplication Service on hosts that do not require the feature to remove the vulnerable code path from runtime exposure.
  • Limit creation of ReFS volumes with deduplication enabled to systems under strict administrative control and continuous monitoring.
  • Enforce least privilege so that standard users cannot schedule or trigger deduplication jobs on affected volumes.
bash
# Check whether ReFS deduplication is enabled on mounted volumes
Get-DedupVolume | Select-Object Volume, Enabled, UsageType

# Disable deduplication on a specific ReFS volume as a temporary mitigation
Disable-DedupVolume -Volume "D:"

# Stop and disable the deduplication service where the feature is not required
Stop-Service -Name ddpsvc -Force
Set-Service -Name ddpsvc -StartupType Disabled

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne