Tracked as CVE-2025-59282, the flaw stems from a race condition and use-after-free scenario in shared memory components.
Microsoft assigned itself as the CNA and rated the issue as Important, with a CVSS 3.1 score of 7.0 (temporal 6.1) based on local attack vector, high complexity, no required privileges, and user interaction.
The vulnerability arises from concurrent execution on a global memory resource used by certain IIS COM objects. In a race condition (CWE-362), improper synchronization lets one thread free memory that another thread still uses (CWE-416), creating a window for use-after-free exploitation.
An attacker can craft a malicious file and trick a local user into opening it. If the race is won, arbitrary code runs with elevated trust on the same machine, potentially granting shell access or the ability to drop additional payloads.
Understanding these technical details helps defenders anticipate and recognize suspicious file executions.
Despite being labeled Remote Code Execution, exploitation is strictly local: an attacker must already have code execution capabilities on the target host or persuade a legitimate user to load a specially crafted component.
The CVSS vector string CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H underscores this nuance: the attack complexity is high, requiring precise timing to win the race, and user interaction is mandatory.
No known public exploit or widespread weaponization exists, and Microsoft assesses real-world exploitation as unlikely at present.
Until an official patch is applied, these mitigations provide layered defenses against potential exploitation.
Microsoft released an official fix on October 14, 2025, within its regular security update cycle. All supported versions of Windows Server running IIS should install the update immediately to remediate CVE-2025-59282.
Organizations are encouraged to review their software inventory for IIS installations and confirm that inbox COM object features are disabled unless explicitly needed.
Regularly monitoring the Microsoft Support Lifecycle portal ensures that patches are applied promptly to maintain a hardened environment against coordinated vulnerability disclosures.
Staying current with security bulletins and reinforcing local security policies remains essential, as emerging vulnerabilities like this one continue to target underlying synchronization flaws in legacy components.
| Product | Release Date | Impact | Severity | KB Article(s) | Download Link | Build Number |
|---|---|---|---|---|---|---|
| Windows 11 Version 25H2 (x64) | Oct 14, 2025 | Remote Code Execution | Important | 5066835 | Security Update | 10.0.26200[.]6899 |
| Windows 11 Version 25H2 (ARM64) | Oct 14, 2025 | Remote Code Execution | Important | 5066835 | Security Update | 10.0.26200[.]6899 |
| Windows Server 2012 R2 (Server Core) | Oct 14, 2025 | Remote Code Execution | Important | 5066873 | Monthly Rollup | 6.3.9600[.]22824 |
| Windows Server 2012 R2 | Oct 14, 2025 | Remote Code Execution | Important | 5066873 | Monthly Rollup | 6.3.9600[.]22824 |
| Windows Server 2012 (Server Core) | Oct 14, 2025 | Remote Code Execution | Important | 5066875 | Monthly Rollup | 6.2.9200[.]25722 |
| Windows Server 2012 | Oct 14, 2025 | Remote Code Execution | Important | 5066875 | Monthly Rollup | 6.2.9200[.]25722 |
| Windows Server 2008 R2 SP1 (Server Core, x64) | Oct 14, 2025 | Remote Code Execution | Important | 5066872, 5066876 | Monthly Rollup / Security Only | 6.1.7601[.]27974 |
| Windows Server 2008 R2 SP1 (x64) | Oct 14, 2025 | Remote Code Execution | Important | 5066872, 5066876 | Monthly Rollup / Security Only | 6.1.7601[.]27974 |
| Windows Server 2008 SP2 (Server Core, x64) | Oct 14, 2025 | Remote Code Execution | Important | 5066874, 5066877 | Monthly Rollup / Security Only | 6.0.6003[.]23571 |
| Windows Server 2008 SP2 (x64) | Oct 14, 2025 | Remote Code Execution | Important | 5066874, 5066877 | Monthly Rollup / Security Only | 6.0.6003[.]23571 |
| Windows Server 2008 SP2 (Server Core, 32-bit) | Oct 14, 2025 | Remote Code Execution | Important | 5066874, 5066877 | Monthly Rollup / Security Only | 6.0.6003[.]23571 |
| Windows Server 2008 SP2 (32-bit) | Oct 14, 2025 | Remote Code Execution | Important | 5066874, 5066877 | Monthly Rollup / Security Only | 6.0.6003[.]23571 |
| Windows Server 2016 (Server Core) | Oct 14, 2025 | Remote Code Execution | Important | 5066836 | Security Update | 10.0.14393[.]8519 |
| Windows Server 2016 | Oct 14, 2025 | Remote Code Execution | Important | 5066836 | Security Update | 10.0.14393[.]8519 |
| Windows 10 Version 1607 (x64) | Oct 14, 2025 | Remote Code Execution | Important | 5066836 | Security Update | 10.0.14393[.]8519 |
| Windows 10 Version 1607 (32-bit) | Oct 14, 2025 | Remote Code Execution | Important | 5066836 | Security Update | 10.0.14393[.]8519 |
| Windows 10 (x64) | Oct 14, 2025 | Remote Code Execution | Important | 5066837 | Security Update | 10.0.10240[.]21161 |
| Windows 10 (32-bit) | Oct 14, 2025 | Remote Code Execution | Important | 5066837 | Security Update | 10.0.10240[.]21161 |
| Windows Server 2025 | Oct 14, 2025 | Remote Code Execution | Important | 5066835 | Security Update | 10.0.26100[.]6899 |
| Windows 11 Version 24H2 (x64) | Oct 14, 2025 | Remote Code Execution | Important | 5066835 | Security Update | 10.0.26100[.]6899 |
| Windows 11 Version 24H2 (ARM64) | Oct 14, 2025 | Remote Code Execution | Important | 5066835 | Security Update | 10.0.26100[.]6899 |
| Windows Server 2022 23H2 (Server Core) | Oct 14, 2025 | Remote Code Execution | Important | 5066780 | Security Update | 10.0.25398[.]1913 |
| Windows 11 Version 23H2 (x64) | Oct 14, 2025 | Remote Code Execution | Important | 5066793 | Security Update | 10.0.22631[.]6060 |
| Windows 11 Version 23H2 (ARM64) | Oct 14, 2025 | Remote Code Execution | Important | 5066793 | Security Update | 10.0.22631[.]6060 |
| Windows Server 2025 (Server Core) | Oct 14, 2025 | Remote Code Execution | Important | 5066835 | Security Update | 10.0.26100[.]6899 |
| Windows 10 Version 22H2 (32-bit) | Oct 14, 2025 | Remote Code Execution | Important | 5066791 | Security Update | 10.0.19045[.]6456 |
| Windows 10 Version 22H2 (ARM64) | Oct 14, 2025 | Remote Code Execution | Important | 5066791 | Security Update | 10.0.19045[.]6456 |
| Windows 10 Version 22H2 (x64) | Oct 14, 2025 | Remote Code Execution | Important | 5066791 | Security Update | 10.0.19045[.]6456 |
| Windows 11 Version 22H2 (x64) | Oct 14, 2025 | Remote Code Execution | Important | 5066793 | Security Update | 10.0.22621[.]6060 |
| Windows 11 Version 22H2 (ARM64) | Oct 14, 2025 | Remote Code Execution | Important | 5066793 | Security Update | 10.0.22621[.]6060 |
| Windows 10 Version 21H2 (x64) | Oct 14, 2025 | Remote Code Execution | Important | 5066791 | Security Update | 10.0.19044[.]6456 |
| Windows 10 Version 21H2 (ARM64) | Oct 14, 2025 | Remote Code Execution | Important | 5066791 | Security Update | 10.0.19044[.]6456 |
| Windows 10 Version 21H2 (32-bit) | Oct 14, 2025 | Remote Code Execution | Important | 5066791 | Security Update | 10.0.19044[.]6456 |
| Windows Server 2022 (Server Core) | Oct 14, 2025 | Remote Code Execution | Important | 5066782 | Security Update | 10.0.20348[.]4294 |
| Windows Server 2022 | Oct 14, 2025 | Remote Code Execution | Important | 5066782 | Security Update | 10.0.20348[.]4294 |
| Windows Server 2019 (Server Core) | Oct 14, 2025 | Remote Code Execution | Important | 5066586 | Security Update | 10.0.17763[.]7919 |
| Windows Server 2019 | Oct 14, 2025 | Remote Code Execution | Important | 5066586 | Security Update | 10.0.17763[.]7919 |
| Windows 10 Version 1809 (x64) | Oct 14, 2025 | Remote Code Execution | Important | 5066586 | Security Update | 10.0.17763[.]7919 |
| Windows 10 Version 1809 (32-bit) | Oct 14, 2025 | Remote Code Execution | Important | 5066586 | Security Update | 10.0.17763[.]7919 |
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post Microsoft IIS Flaw Enables Remote Code Execution by Unauthorized Attackers appeared first on Cyber Security News.
Project Silent Whispers is giving romantic adventures a major upgrade. It’s a player-led romantic adventure…
SPEEDWAY, Ind. (WOWO) — Katherine Legge will be making her return to the Indianapolis 500…
INDIANAPOLIS, Ind. (WOWO) — A man was shot and killed on the east side of…
The Seventh Circuit U.S. Court of Appeals issued its ruling Monday after hearing oral arguments…
Despite the rising prices of graphics cards and DDR5 RAM, there are still good deals…
The new trailer for House of the Dragon Season 3 reveals Emma D’Arcy’s Queen Rhaenyra…
This website uses cookies.