CVE-2025-59244 Overview
CVE-2025-59244 is a spoofing vulnerability in the Windows Core Shell component. The flaw stems from external control of a file name or path [CWE-73], which allows an unauthorized attacker to perform spoofing over a network. Exploitation requires user interaction, such as opening a crafted file or link delivered through email, chat, or a compromised web page.
Microsoft published the advisory on October 14, 2025. The vulnerability affects a broad range of supported Windows client and server releases, from Windows 10 1507 through Windows 11 25H2, and Windows Server 2012 R2 through Windows Server 2025.
Critical Impact
A successful attack lets an unauthenticated adversary manipulate how the Windows Core Shell resolves file names or paths, enabling convincing spoofing scenarios that can lead to credential theft or execution of attacker-controlled content presented as trusted.
Affected Products
- Microsoft Windows 10 (1507, 1607, 1809, 21H2, 22H2)
- Microsoft Windows 11 (22H2, 23H2, 24H2, 25H2)
- Microsoft Windows Server 2012 R2, 2016, 2019, 2022, 2022 23H2, and 2025
Discovery Timeline
- 2025-10-14 - CVE-2025-59244 published to NVD with Microsoft advisory
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-59244
Vulnerability Analysis
The vulnerability lives in the Windows Core Shell, the component that handles file, shortcut, and URI presentation across Explorer, dialogs, and shell namespace extensions. The Core Shell accepts a file name or path value whose content is influenced by attacker-supplied input. Because that value is not validated or normalized against a trusted source, the shell renders or acts on the attacker-chosen representation.
The practical result is spoofing. A user viewing a crafted item is shown information that does not match the underlying resource. This deceives the user into trusting a file, link, or origin that an attacker controls. The confidentiality impact is rated high because the deception commonly leads to disclosure of credentials or sensitive content over a network channel.
Exploitation is remote and requires no privileges, but does require user interaction to open or interact with the crafted content.
Root Cause
The root cause is external control of a file name or path, tracked as [CWE-73]. The Core Shell trusts a caller-provided string when constructing or displaying a resource identifier. Without strict validation, attackers substitute paths or file references that misrepresent origin, type, or destination.
Attack Vector
An attacker delivers a crafted file, shortcut, archive, or link to a target user. When the user opens the item in Windows Explorer or a shell-integrated dialog, the Core Shell processes the attacker-controlled path and presents spoofed context. The user then performs an action, such as authenticating or opening a follow-on payload, believing it targets a trusted resource.
Verified proof-of-concept code is not publicly available at the time of writing. Refer to the Microsoft CVE-2025-59244 Advisory for technical detail.
Detection Methods for CVE-2025-59244
Indicators of Compromise
- Shortcut (.lnk), URL (.url), or search connector files with target paths pointing to remote SMB or WebDAV shares controlled by external hosts.
- Outbound SMB (TCP 445) or WebDAV traffic to untrusted internet destinations shortly after a user opens an emailed attachment or archive.
- Explorer or shell processes accessing file paths containing UNC references, unusual Unicode characters, or right-to-left override sequences.
Detection Strategies
- Hunt for shell-hosted processes (explorer.exe, SearchApp.exe) initiating network connections to external file-sharing endpoints.
- Alert on creation or delivery of .lnk, .url, .library-ms, and .searchConnector-ms files from email or download sources.
- Correlate user file-open events with NTLM authentication attempts to unfamiliar external hosts, a common outcome of shell-path spoofing.
Monitoring Recommendations
- Monitor endpoint telemetry for shell namespace file types originating outside trusted directories.
- Log and review outbound SMB and WebDAV connections from user workstations at the perimeter.
- Track Windows Update compliance for the October 2025 security rollup across all Windows 10, Windows 11, and Windows Server SKUs.
How to Mitigate CVE-2025-59244
Immediate Actions Required
- Apply the October 2025 Microsoft security updates that address CVE-2025-59244 across every affected Windows client and server version.
- Prioritize patching internet-facing workstations, jump hosts, and multi-user systems where crafted files are most likely to be opened.
- Reinforce user awareness that shortcut and URL files delivered via email or chat should be treated as executable content.
Patch Information
Microsoft published fixes through its standard Update Guide entry. Consult the Microsoft CVE-2025-59244 Advisory for the exact KB numbers per Windows build and deploy them through Windows Update, WSUS, Microsoft Intune, or Configuration Manager.
Workarounds
- Block outbound SMB (TCP 445) and WebDAV to the public internet at the perimeter firewall to limit spoofing that pivots to remote authentication.
- Enforce SMB signing and disable NTLM outbound to external destinations using group policy where operationally feasible.
- Strip or quarantine .lnk, .url, .library-ms, and .searchConnector-ms attachments at the email gateway until patching is complete.
# Example: block outbound SMB to the internet with Windows Defender Firewall
New-NetFirewallRule -DisplayName "Block Outbound SMB to Internet" \
-Direction Outbound \
-Action Block \
-Protocol TCP \
-RemotePort 445 \
-RemoteAddress Internet
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

