Cyber Posture

CVE-2026-25187

High

Published: 10 March 2026

Published
10 March 2026
Modified
13 March 2026
KEV Added
Patch
CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0005 16.7th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25187 is a high-severity Link Following (CWE-59) vulnerability in Microsoft Windows 10 21H2. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 16.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-25 (Reference Monitor).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the improper link resolution vulnerability in Winlogon through timely identification, reporting, and patching of the specific flaw.

AC-25 Reference Monitor partial match
prevent

Implements a reference monitor that mediates all file access subject to access control, addressing failures in symbolic link resolution enforcement.

AC-6 Least Privilege partial match
prevent

Enforces least privilege on accounts and processes to limit the scope and impact of privilege escalation via symlink manipulation in Winlogon.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

CVE describes a local privilege escalation vulnerability in Winlogon exploitable via symbolic link manipulation (CWE-59), directly matching T1068 Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper link resolution before file access ('link following') in Winlogon allows an authorized attacker to elevate privileges locally.

Deeper analysisAI

CVE-2026-25187 is an improper link resolution before file access vulnerability, commonly known as "link following," affecting the Winlogon component in Windows. Published on 2026-03-10T18:18:35.413, it carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-59: Improper Link Resolution Before File Access.

The vulnerability enables a local attacker with low privileges to exploit Winlogon by manipulating symbolic links during file access operations, resulting in privilege escalation. Exploitation requires only local access, low attack complexity, and no user interaction, allowing the attacker to gain high-impact confidentiality, integrity, and availability effects.

Microsoft's Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-25187 provides guidance on patches and mitigation steps.

Details

CWE(s)
CWE-59

Affected Products

microsoft
windows 10 1607
≤ 10.0.14393.8957 · ≤ 10.0.14393.8957
microsoft
windows 10 1809
≤ 10.0.17763.8511 · ≤ 10.0.17763.8511
microsoft
windows 10 21h2
≤ 10.0.19044.7058 · ≤ 10.0.19044.7058 · ≤ 10.0.19044.7058
microsoft
windows 10 22h2
≤ 10.0.19045.7058 · ≤ 10.0.19045.7058 · ≤ 10.0.19045.7058
microsoft
windows 11 23h2
≤ 10.0.22631.6783 · ≤ 10.0.22631.6783
microsoft
windows 11 24h2
≤ 10.0.26100.7979 · ≤ 10.0.26100.7979
microsoft
windows 11 25h2
≤ 10.0.26200.7979 · ≤ 10.0.26200.7979
microsoft
windows 11 26h1
≤ 10.0.28000.1719 · ≤ 10.0.28000.1719
microsoft
windows server 2012
all versions, r2
microsoft
windows server 2016
≤ 10.0.14393.8957
+4 more product configuration(s) — see NVD for full list

CVEs Like This One

CVE-2025-21420Same product: Microsoft Windows 10 1607
CVE-2025-21373Same product: Microsoft Windows 10 1607
CVE-2025-21419Same product: Microsoft Windows 10 1607
CVE-2025-21391Same product: Microsoft Windows 10 1607
CVE-2025-21331Same product: Microsoft Windows 10 1607
CVE-2026-27916Same product: Microsoft Windows 10 1607
CVE-2026-32077Same product: Microsoft Windows 10 1607
CVE-2026-26168Same product: Microsoft Windows 10 1607
CVE-2026-24294Same product: Microsoft Windows 10 1607
CVE-2026-27914Same product: Microsoft Windows 10 1607

References