CVE Alert: CVE-2025-59514 – Microsoft – Windows 10 Version 1809

Risk verdict

High risk of local privilege escalation; exploitation state is not specified, but the impact is significant on affected Windows endpoints and servers—patch promptly when available.

Why this matters

An attacker with local access and low privileges can elevate to SYSTEM, enabling full access to protected data and persistence on the host. The vulnerability spans multiple Windows desktop and server SKUs, including recent Server Core and client editions, increasing the attack surface across enterprise endpoints.

Most likely attack path

Attacker already has a usable account or foothold on a host (AV:L, PR:L, UI:N) and can trigger the Streaming Service Proxy vulnerability without user interaction. Successful exploitation grants high privileges on the compromised host, with no scope expansion required by CVSS, facilitating access to sensitive resources and potential lateral moves through compromised credentials or tokens.

Who is most exposed

Large organisations with mixed Windows deployments (legacy on 1607/1809, via 21H2/22H2 clients and Server 2019–2025 variants) are at risk, particularly where streaming or proxy services run with elevated tokens. Environments with extensive on‑premises endpoints and Server Core installations are especially exposed.

Detection ideas

• Unusual privilege escalation events for non-admin users (token elevation to SYSTEM).
• Sudden process spawns or service changes associated with the Streaming Service Proxy.
• Anomalous logon or token impersonation activity from standard user accounts.
• Unexpected service or scheduled task creations/modifications around the proxy.
• EDR/SEIM alerts for privilege/credential misuse on affected Windows versions.

Mitigation and prioritisation

• Apply the vendor patch to all affected Windows versions; verify deployment in maintenance windows.
• Enforce least privilege and monitor for abnormal proxy/service activity; restrict unnecessary streaming proxy use.
• Confirm configuration baselines for services running with elevated rights; remove or sandbox where feasible.
• Ensure robust endpoint detection and response coverage; accelerate remediation if KEV or EPSS signals arise (treat as priority 1). Maintain hotfix SLAs and verify post‑patch readings.