Cyber Resilience

CVE-2025-25008

High

Published: 11 March 2025

Published
11 March 2025
Modified
01 July 2025
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0031 54.4th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25008 is a high-severity Link Following (CWE-59) vulnerability in Microsoft Windows Server 2016. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 45.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-25008 is a vulnerability involving improper link resolution before file access, known as "link following," in Microsoft Windows. Published on 2025-03-11, it enables an authorized local attacker to elevate privileges and has a CVSS v3.1 base score of 7.1 (High), with the vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H. The issue maps to CWE-59: Improper Link Resolution Before File Access.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity and no user interaction required. Successful exploitation allows the attacker to achieve high integrity (I:H) and availability (A:H) impacts, specifically enabling local privilege escalation on the affected Windows system.

Mitigation details are provided in the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-25008.

EU & UK References

Vulnerability details

Improper link resolution before file access ('link following') in Microsoft Windows allows an authorized attacker to elevate privileges locally.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The CVE describes a local privilege escalation vulnerability in Windows due to improper link resolution (CWE-59), directly enabling exploitation to gain higher privileges on the system, which maps to T1068.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-21251Same product: Microsoft Windows Server 2016
CVE-2025-21391Same product: Microsoft Windows Server 2016
CVE-2026-25187Same product: Microsoft Windows Server 2016
CVE-2025-21420Same product: Microsoft Windows Server 2016
CVE-2026-27912Same product: Microsoft Windows Server 2016
CVE-2026-41095Same product: Microsoft Windows Server 2016
CVE-2026-35420Same product: Microsoft Windows Server 2016
CVE-2026-26183Same product: Microsoft Windows Server 2016
CVE-2025-21419Same product: Microsoft Windows Server 2016
CVE-2025-21373Same product: Microsoft Windows Server 2016

Affected Assets

microsoft
windows server 2016
≤ 10.0.14393.7876
microsoft
windows server 2019
≤ 10.0.17763.7009
microsoft
windows server 2022
≤ 10.0.20348.3328
microsoft
windows server 2022 23h2
≤ 10.0.25398.1486
microsoft
windows server 2025
≤ 10.0.26100.3476

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation directly prevents exploitation by identifying, reporting, and correcting the improper link resolution vulnerability through timely patching.

prevent

Reference monitor implementation mediates all subject-object access attempts, including proper link resolution, to enforce access controls and block privilege escalation.

prevent

Least privilege restricts the privileges of processes and users, limiting the setup of symlink attacks and the impact of any successful local escalation.

References