CVE-2025-25008

Published: Mar 11, 2025Modified: Jul 1, 2025

7.1

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Exploitability: 1.8 / Impact: 5.2

Source: secure@microsoft.com (Secondary)

Description

Improper link resolution before file access ('link following') in Microsoft Windows allows an authorized attacker to elevate privileges locally.

Affected (5)

Products: Microsoft: Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2022 23h2, Windows Server 2025

5 products

Windows Server 2016

Windows Server 2019

Windows Server 2022

Windows Server 2022 23h2

Windows Server 2025

Configuration A

5 vulnerable

Vulnerable Software	Affected Versions
Microsoft Windows Server 2016	Before 10.0.14393.7876
Microsoft Windows Server 2019	Before 10.0.17763.7009
Microsoft Windows Server 2022	Before 10.0.20348.3328
Microsoft Windows Server 2022 23h2	Before 10.0.25398.1486
Microsoft Windows Server 2025	Before 10.0.26100.3476

Related CWEs

Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

References (1)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-25008

Source: secure@microsoft.com

Vendor Advisory

Timeline

No history available yet.