Click Or Trick
CVE-2025-59199, dubbed "Click Or Trick," is an improper access control vulnerability in Windows Software Protection Platform (SPP) that can be exploited as a local sandbox escape and privilege elevation path. According to the provided research summary, the issue allows a low-integrity process on Windows 11 to reach medium-integrity code execution and arbitrary file write after a single user click. The demonstrated exploit chain abuses trust boundaries between multiple Windows components rather than a single memory-corruption flaw. The chain includes a COM object associated with editionupgradebroker that could be activated from a low-integrity process and launched as a medium-integrity LocalServer32 COM server, a controllable ShowToast function that could generate spoofed toast notifications for trusted applications, command-line argument injection into packaged applications, Snipping Tool URI handling and redirect behavior, URI decoding quirks, and Microsoft Teams' exposed Chromium remote debugging interface. In the reported attack, a low-integrity process creates the COM object, triggers a spoofed toast notification, and relies on the user clicking it. That click launches a trusted application with attacker-controlled parameters, which is then used to pivot into a medium-integrity context and ultimately abuse Chrome DevTools Protocol functionality to write files outside the original sandbox.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
No public exploits tracked yet. Mallory keeps watching.
No public exploit code observed for this vulnerability.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Windows 11 sandbox escape vulnerability that allows a low-integrity process to achieve escalated code execution and arbitrary file write with a single user click by chaining COM activation, app identity abuse, Snipping Tool URI handling, URI decoding quirks, and Chromium DevTools exposure.
One of 11 important vulnerabilities considered more likely to be exploited, ranging from remote code execution to privilege escalation across desktop and cloud environments.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.