CVE-2025-59282 - Vulnerability Details

CVE-2025-59282 - Internet Information Services (IIS) Inbox COM Objects (Global Memory) Remote Code Execution Vulnerability

Concurrent execution using shared resource with improper synchronization ('race condition') in Inbox COM Objects allows an unauthorized attacker to execute code locally.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Microsoft	Iis Windows Windows 10 Windows 11 Windows Server Windows Server 2008 Windows Server 2012 Windows Server 2016 Windows Server 2019 Windows Server 2022 Windows Server 2025

No data.

References

Link	Providers
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59282

History

Thu, 23 Oct 2025 13:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Microsoft Microsoft iis Microsoft windows Microsoft windows 10 Microsoft windows 11 Microsoft windows Server Microsoft windows Server 2008 Microsoft windows Server 2012 Microsoft windows Server 2016 Microsoft windows Server 2019 Microsoft windows Server 2022 Microsoft windows Server 2025
Vendors & Products		Microsoft Microsoft iis Microsoft windows Microsoft windows 10 Microsoft windows 11 Microsoft windows Server Microsoft windows Server 2008 Microsoft windows Server 2012 Microsoft windows Server 2016 Microsoft windows Server 2019 Microsoft windows Server 2022 Microsoft windows Server 2025

Tue, 14 Oct 2025 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 14 Oct 2025 17:15:00 +0000

Type	Values Removed	Values Added
Description		Concurrent execution using shared resource with improper synchronization ('race condition') in Inbox COM Objects allows an unauthorized attacker to execute code locally.
Title		Internet Information Services (IIS) Inbox COM Objects (Global Memory) Remote Code Execution Vulnerability
Weaknesses		CWE-362 CWE-416
References		https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59282
Metrics		cvssV3_1 `{'score': 7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}`

MITRE

Status: PUBLISHED

Assigner: microsoft

Published: 2025-10-14T17:00:48.096Z

Updated: 2025-10-24T23:07:49.910Z

Reserved: 2025-09-11T19:36:03.689Z

Link: CVE-2025-59282

Vulnrichment

Updated: 2025-10-14T19:51:24.286Z

NVD

Status : Awaiting Analysis

Published: 2025-10-14T17:16:11.110

Modified: 2025-10-14T19:35:56.913

Link: CVE-2025-59282

Redhat

No data.

Metrics

Attack Vector Local

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object