CVE-2026-25187
HIGH EXPLOITEDWindows 10 1607-22H2 and Windows 11 23H2-24H2 - Privilege Escalation via Winlogon Link Resolution
Title source: llmExploitation Summary
CVE-2026-25187 has been observed exploited in the wild (reported by VulnCheck KEV).
Description
Improper link resolution before file access ('link following') in Winlogon allows an authorized attacker to elevate privileges locally.
References (3)
Core 3
Core References
Vendor Advisory vendor-advisory
patch
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-25187
Scores
CVSS v3
7.8
EPSS
0.0318
EPSS Percentile
86.3%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
VulnCheck KEV
2026-04-13
CWE
CWE-59
Status
published
Products (37)
Microsoft/Windows 10 Version 1607
10.0.14393.0 - 10.0.14393.8957
Microsoft/Windows 10 Version 1809
10.0.17763.0 - 10.0.17763.8511
Microsoft/Windows 10 Version 21H2
10.0.19044.0 - 10.0.19044.7058
Microsoft/Windows 10 Version 22H2
10.0.19045.0 - 10.0.19045.7058
Microsoft/Windows 11 version 22H3
10.0.22631.0 - 10.0.22631.6783
Microsoft/Windows 11 Version 23H2
10.0.22631.0 - 10.0.22631.6783
Microsoft/Windows 11 Version 24H2
10.0.26100.0 - 10.0.26100.8037
Microsoft/Windows 11 Version 25H2
10.0.26200.0 - 10.0.26200.8037
Microsoft/Windows 11 version 26H1
10.0.28000.0 - 10.0.28000.1719
Microsoft/Windows 11 Version 26H1
10.0.28000.0 - 10.0.28000.1719
... and 27 more
Published
Mar 10, 2026
Tracked Since
Mar 11, 2026