Platform
windows
Component
internet-information-services-iis-inbox-com-objects
Fixed in
10.0.10240.21161
10.0.14393.8519
10.0.17763.7919
10.0.19044.6456
10.0.19045.6456
10.0.22621.6060
10.0.22631.6060
10.0.26100.6899
10.0.26200.6899
CVE-2025-59282 describes a Remote Code Execution (RCE) vulnerability affecting the Internet Information Services (IIS) Inbox COM Objects component in Windows. This vulnerability stems from a race condition where concurrent execution using shared resources lacks proper synchronization. Successful exploitation could allow an attacker to execute arbitrary code locally on the affected system, potentially leading to complete system compromise. The vulnerability impacts Windows versions 10.0.10240.0 through 10.0.26200.6899, and a fix is available in version 10.0.26200.6899.
An attacker who successfully exploits CVE-2025-59282 can achieve local code execution on a vulnerable Windows system. This means they can run arbitrary commands with the privileges of the affected user account, potentially escalating privileges to SYSTEM level. The impact is significant, as an attacker could install malware, steal sensitive data, modify system configurations, or disrupt services. Given that IIS is often used to host web applications and services, a successful exploit could also lead to the compromise of those applications and the data they handle. The blast radius extends to any data accessible by the compromised user account, and potentially the entire network if the attacker can leverage the compromised system for lateral movement.
CVE-2025-59282 was publicly disclosed on 2025-10-14. The CVSS score of 7 (HIGH) indicates a significant risk. There is currently no indication of active exploitation campaigns targeting this vulnerability, nor are there any publicly available proof-of-concept exploits. It is not listed on the CISA KEV catalog at the time of writing. However, the race condition nature of the vulnerability suggests that it could be exploited with relative ease once a suitable exploit is developed.
Exploit Status
EPSS
0.33% (56% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-59282 is to upgrade to Windows version 10.0.26200.6899 or later, which includes the fix for this race condition. If immediate patching is not feasible, consider implementing temporary workarounds. While a direct WAF rule is unlikely to prevent this local RCE, restricting access to sensitive COM objects via network segmentation can reduce the attack surface. Regularly review IIS configuration and permissions to ensure least privilege principles are followed. Monitor system logs for suspicious activity related to IIS processes and COM object usage. After upgrading, confirm the vulnerability is resolved by attempting to reproduce the conditions that trigger the race condition in a test environment.
Update your Windows 10 operating system to the latest available version through Windows Update. This will install the corrected version of Internet Information Services (IIS) and resolve the remote code execution vulnerability.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-59282 is a Remote Code Execution vulnerability in the IIS Inbox COM Objects component of Windows, allowing local code execution due to a race condition.
You are affected if you are running Windows versions 10.0.10240.0 through 10.0.26200.6899 and have IIS installed.
Upgrade to Windows version 10.0.26200.6899 or later to receive the security patch. Consider temporary workarounds if immediate patching is not possible.
There is currently no evidence of active exploitation, but the vulnerability's nature suggests it could be exploited once a suitable exploit is developed.
Refer to the official Microsoft Security Update Guide for CVE-2025-59282 when it is published.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.