CVE-2025-59199

Published Oct 14, 2025

Last updated 7 months ago

CVSS high 7.8
Software Protection Platform
SPP

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-59199 is an improper access control vulnerability found within the Software Protection Platform (SPP) in Microsoft Windows. This flaw allows an authorized attacker to locally elevate their privileges. Specifically, this vulnerability, dubbed "Click Or Trick," involves a sandbox escape in Windows 11. It can be exploited by a low-integrity process to achieve escalated code execution and arbitrary file write through a chain of URI redirects and a misconfigured Component Object Model (COM) infrastructure, often requiring a single user click.

Description
Improper access control in Software Protection Platform (SPP) allows an authorized attacker to elevate privileges locally.
Source
secure@microsoft.com
NVD status
Analyzed
Products
windows_10_1809, windows_10_21h2, windows_10_22h2, windows_11_22h2, windows_11_23h2, windows_11_24h2, windows_11_25h2, windows_server_2019, windows_server_2022, windows_server_2022_23h2, windows_server_2025

Risk scores

CVSS 3.1

Type
Primary
Base score
7.8
Impact score
5.9
Exploitability score
1.8
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

secure@microsoft.com
CWE-284
nvd@nist.gov
NVD-CWE-noinfo

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

5

  1. Fresh @safebreach Labs research! 🔥 CVE-2025-59199 breaks down a highly creative low-integrity Windows LPE path. Learn how Notifications, COM objects, URIs, DevTools, and Windows Apps chain together in a single exploit. Great work team! 👇 https://t.co/1PgKB1WIxe

    @oryair1999

    2 Jun 2026

    2036 Impressions

    13 Retweets

    25 Likes

    15 Bookmarks

    0 Replies

    0 Quotes

  2. 🚨 Windows 11 Sandbox Escape via “toast click” (CVE-2025-59199) = Microsoft’s idea of a safe playground… with a hidden trapdoor. “Guided tour” for attackers, not users. https://t.co/w0kQY80tyP #SandboxEscape #EndpointDetection #Windows11Security #Cve202559199 https:

    @windowsforum

    1 Jun 2026

    41 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  3. 🪟 “Click or Trick” sandbox escape (CVE-2025-59199) fixed after one-click low-to-high jump. So yeah, Windows is the attack surface again—no driver magic required. Love that for us. #Windows #Microsoft #Security https://t.co/XNMsFvKzPI #SandboxEscape #Windows11Security htt

    @windowsforum

    1 Jun 2026

    29 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. 『What makes this research unusual is that it crosses four security domains that rarely appear in the same research, let alone the same exploit.』🧐 Click Or Trick (CVE-2025-59199): Escaping the Sandbox with Windows URIs https://t.co/JcEBng9osA

    @autumn_good_35

    28 May 2026

    346 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. New Research: Click Or Trick (CVE-2025-59199): How do you escape the Windows 11 sandbox? SafeBreach Labs uncovered that all it takes is a single user click and chaining 4 unrelated subsystems: COM, App Identity, URI quirks, and DevTools WebSockets. 🔗https://t.co/vU8r4LRg50 htt

    @safebreach

    28 May 2026

    1139 Impressions

    9 Retweets

    21 Likes

    8 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Microsoft is aware of a security feature bypass vulnerability in Windows publicly referred to as "YellowKey". The proof of concept for this vulnerability has been made public violating coordinated vulnerability best practices. We are issuing this CVE to provide mitigation guidance that can be implemented to protect against this vulnerability until the security update is made available. Mitigation FAQs Should I leverage the temporary mitigation? Microsoft recommends that you consider implementing these mitigations if you are concerned your devices and data are at risk of being compromised or stolen. For example, if your organization’s employees take their work devices home or on business travel. What impact to service availability/management could be caused by implementing the mitigations? Implementing these mitigations will not impact service availability or management operations. Do customers need to revert the changes made to mitigate the vulnerability once the security update to protect against this vulnerability is available? No. The security update will maintain the mitigation's behavior once the security update is installed. I am using TPM+PIN, am I at risk of this vulnerability being exploited No, if you are using TPM+PIN the vulnerability is not exploitable.CVE-2026-45585
  2. Integer overflow or wraparound in Windows DWM Core Library allows an authorized attacker to elevate privileges locally.CVE-2026-42896
  3. Use after free in Windows Telephony Service allows an authorized attacker to elevate privileges locally.CVE-2026-42825
  4. Reliance on a component that is not updateable in Windows Secure Boot allows an authorized attacker to bypass a security feature locally.CVE-2026-41097
  5. Heap-based buffer overflow in Microsoft Windows DNS allows an unauthorized attacker to execute code over a network.CVE-2026-41096

References

Sources include official advisories and independent security research.