Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
High

Winlogon Elevation of Privilege Vulnerability

IdentifiersCVE-2026-25187CWE-59· Improper Link Resolution Before…

CVE-2026-25187 is a local elevation-of-privilege vulnerability in Microsoft Windows Winlogon caused by improper link resolution before file access (link following). The flaw occurs when Winlogon follows a link during file access in a way that can be abused by an authorized local attacker, enabling privilege escalation. Microsoft and third-party reporting describe the issue as affecting the Winlogon process and classify it under CWE-59. Public reporting also notes a CVSS score of 7.8 and that the issue was discovered by Google Project Zero.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a local authorized attacker to elevate privileges on the affected Windows system, with reporting indicating this can result in SYSTEM-level privileges. Because the flaw is in Winlogon, compromise can provide highly privileged execution and full control over the local host.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by limiting local access to trusted users only, restricting the ability of non-administrative users to create or manipulate links in sensitive filesystem locations, and monitoring for suspicious link-following or file-manipulation activity involving Winlogon-related paths. No specific vendor mitigation beyond patching was provided in the supplied content.

Remediation

Patch, then assume compromise.

Apply Microsoft's March 2026 security update for Windows that addresses CVE-2026-25187. Prioritize patching because Microsoft assessed this vulnerability as 'Exploitation More Likely.'
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Microsoft CorporationWindows 10 1607operating_system
Microsoft CorporationWindows 10 1809operating_system
Microsoft CorporationWindows 10 21h2operating_system
Microsoft CorporationWindows 10 22h2operating_system
Microsoft CorporationWindows 11 23h2operating_system
Microsoft CorporationWindows 11 24h2operating_system
Microsoft CorporationWindows 11 25h2operating_system
Microsoft CorporationWindows 11 26h1operating_system
Microsoft CorporationWindows Server 2012operating_system
Microsoft CorporationWindows Server 2012 R2operating_system
Microsoft CorporationWindows Server 2016operating_system
Microsoft CorporationWindows Server 2019operating_system
Microsoft CorporationWindows Server 2022operating_system
Microsoft CorporationWindows Server 2022 23h2operating_system
Microsoft CorporationWindows Server 2025operating_system
Microsoft CorporationWindows Server 23h2operating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

15 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

15 SOURCESView more in app
cyber security newsNews
Apr 16, 2026
31 High-Impact Vulnerabilities Exploited in March as Interlock Hits Cisco FMC Zero-Day

An actively exploited link following vulnerability in Microsoft Windows.

Read more
bank info securityNews
Mar 12, 2026
Breach Roundup: Russian State Actors Target Signal, WhatsApp

A Microsoft vulnerability mentioned as one of several privilege escalation flaws rated 'exploited more likely.'

Read more
govinfosecurityNews
Mar 12, 2026
Breach Roundup: Russian State Actors Target Signal, WhatsApp

A Microsoft vulnerability rated as 'exploited more likely' in the March 2026 Patch Tuesday release; the specific technical details are not provided in the content.

Read more
socradar blogNews
Mar 11, 2026
March 2026 Patch Tuesday: 83 Vulnerabilities, Two Publicly Disclosed Zero-Days

A Winlogon local elevation-of-privilege vulnerability flagged as 'Exploitation More Likely' by Microsoft.

Read more
+4 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity6

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-25187
NVD
nvd.nist.gov/vuln/detail/CVE-2026-25187
MITRE CWE · CWE-59
Improper Link Resolution Before File Access…
Vendor Advisory
msrc.microsoft.com/update-guide/vulnerability/CVE-2026-25187
vicarius.io
vicarius.io/vsociety/posts/cve-2026-25187-detection-script-winlogon-elevation-of-privilege-vulnerability
vicarius.io
vicarius.io/vsociety/posts/cve-2026-25187-mitigation-script-winlogon-elevation-of-privilege-vulnerability