SafeBreach Labs disclosed CVE-2025-59199, a Windows 11 sandbox escape that allows a low-integrity process to gain medium-integrity code execution and perform arbitrary file writes after a single user click. The attack, dubbed "Click Or Trick," chains weaknesses across several Windows components rather than exploiting one isolated flaw, combining a misconfigured COM object, Windows app identity and toast notification behavior, Snipping Tool URI handling, URI decoding quirks, and Microsoft Teams' exposed Chromium remote debugging interface.
Researchers showed an attacker could launch a medium-integrity COM server from a low-integrity context, spoof a trusted toast notification, append attacker-controlled command-line arguments to legitimate applications, and then abuse the Chrome DevTools Protocol to write files outside the sandbox. Microsoft assigned the issue a CVSS 7.8 score after it was reported on July 13, 2025, and released a patch on October 14, 2025; the findings underscore how security gaps at the boundaries between unrelated Windows subsystems can be combined into a practical sandbox escape chain.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
6 events from the most recent confirmed update back to the earliest known activity.
SafeBreach Labs disclosed technical details for 'Click Or Trick,' its analysis of CVE-2025-59199, including how the exploit chain escaped the Windows 11 sandbox and enabled arbitrary file writes outside the sandbox boundary.
Microsoft patched CVE-2025-59199 on October 14, 2025. The vulnerability involved chaining multiple Windows components, including COM, toast notifications, URI handling, and Teams' exposed Chromium remote debugging interface.
SafeBreach reported the Windows 11 sandbox escape vulnerability CVE-2025-59199 to Microsoft. The flaw allowed a low-integrity process to achieve medium-integrity code execution and arbitrary file write with a single user click.
Microsoft advised customers to apply the September 2021 security updates for CVE-2021-40444, which addressed the MSHTML exploitation technique described in the campaign analysis.
Microsoft said public disclosure of CVE-2021-40444 on September 8, 2021, was followed by increased exploitation attempts and broader adoption by multiple threat actors.
Microsoft observed the earliest attacks exploiting CVE-2021-40444 on August 18, 2021, using specially crafted Office documents to trigger the MSHTML remote code execution vulnerability.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
safebreach.com
Open sourcemicrosoft.com
Open sourceptsecurity.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.