CVE-2025-59210 Overview
CVE-2025-59210 is an elevation of privilege vulnerability in the Windows Resilient File System (ReFS) Deduplication Service. The flaw originates from a use-after-free condition [CWE-416] in the service that handles deduplication operations on ReFS volumes. A local attacker who successfully exploits this issue can elevate privileges on the affected host. Microsoft published the advisory on October 14, 2025, covering Windows 11 24H2, Windows 11 25H2, and Windows Server 2025.
Critical Impact
Successful exploitation allows a local, unauthenticated attacker to gain elevated privileges, compromising confidentiality, integrity, and availability of the affected system.
Affected Products
- Microsoft Windows 11 24H2
- Microsoft Windows 11 25H2
- Microsoft Windows Server 2025
Discovery Timeline
- 2025-10-14 - CVE-2025-59210 published to NVD
- 2025-10-14 - Microsoft released the security update addressing the vulnerability
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-59210
Vulnerability Analysis
The vulnerability resides in the ReFS Deduplication Service, a component responsible for identifying duplicate data blocks on ReFS volumes and consolidating them to reduce storage consumption. The service runs with elevated privileges and processes file system metadata on behalf of local callers. A use-after-free defect in this service allows an attacker to manipulate freed memory regions that the service later accesses, redirecting execution flow or corrupting privileged data structures.
The attack requires local access and has high attack complexity, indicating that the attacker must win a race or satisfy specific timing conditions to trigger the freed object reuse. No user interaction is required, and the attacker does not need prior privileges on the system.
Root Cause
The root cause is improper lifetime management of an object within the ReFS Deduplication Service [CWE-416]. The service releases an object while another code path retains and dereferences a stale pointer. When the freed memory is reallocated with attacker-controlled content, the subsequent dereference operates on data the attacker influences.
Attack Vector
An attacker with local access initiates deduplication-related operations against an ReFS volume and races the service to reclaim freed memory before it is reused. By placing controlled data in the reclaimed allocation, the attacker can corrupt service state and obtain code execution in the context of the deduplication service. This yields elevation of privilege on the host. No public proof-of-concept code or in-the-wild exploitation has been reported, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
No verified exploitation code is available. Refer to the Microsoft Security Update CVE-2025-59210 advisory for vendor-supplied technical details.
Detection Methods for CVE-2025-59210
Indicators of Compromise
- Unexpected crashes or restarts of the ReFS Deduplication Service (fsdmhost.exe / dedup-related service processes) on hosts with ReFS volumes.
- Creation of new privileged accounts or scheduled tasks shortly after deduplication activity on an ReFS volume.
- Unusual child processes spawned by services associated with ReFS deduplication.
Detection Strategies
- Monitor Windows Error Reporting and crash dumps for faults originating in ReFS deduplication service binaries.
- Alert on local unprivileged users triggering deduplication operations or interacting with ReFS volume management interfaces.
- Correlate service crash events with subsequent token-manipulation or privilege-elevation events on the same host.
Monitoring Recommendations
- Enable process creation auditing (Event ID 4688) and track child processes of deduplication-related services.
- Forward Sysmon process, image-load, and handle events to a centralized SIEM for behavioral analysis.
- Track installed patch levels across Windows 11 24H2, 25H2, and Server 2025 fleets to confirm remediation status.
How to Mitigate CVE-2025-59210
Immediate Actions Required
- Apply the October 2025 Microsoft security update referenced in the Microsoft advisory for CVE-2025-59210 on all affected systems.
- Inventory hosts running Windows 11 24H2, 25H2, and Windows Server 2025 with ReFS volumes and prioritize them for patching.
- Restrict interactive and remote local logon rights on file servers hosting ReFS deduplicated volumes.
Patch Information
Microsoft addressed the vulnerability in the security updates published alongside the October 14, 2025 advisory. Administrators should consult the Microsoft Security Update CVE-2025-59210 page for the specific KB articles applicable to each affected build and install them through Windows Update or WSUS.
Workarounds
- If immediate patching is not feasible, disable the ReFS Data Deduplication feature on affected volumes until updates can be applied.
- Limit local logon to trusted administrators on systems hosting ReFS deduplicated storage.
- Apply application control policies to prevent untrusted binaries from executing on file servers.
# Configuration example: disable data deduplication on an ReFS volume (PowerShell)
Disable-DedupVolume -Volume "D:"
Get-DedupStatus -Volume "D:"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

