CVE-2025-21391 is a high-severity elevation of privilege vulnerability affecting Microsoft Windows 10 Version 1809 (build 10.0.17763.0). The vulnerability is classified under CWE-59, which pertains to improper link resolution before file access, commonly known as 'link following'. This issue arises when the Windows Storage component incorrectly resolves symbolic links or junction points before accessing files, allowing an attacker with limited privileges (low privilege user) to manipulate file system links to escalate their privileges. The CVSS v3.1 base score is 7.1, indicating a high severity level. The attack vector requires local access (AV:L), low attack complexity (AC:L), and low privileges (PR:L), but no user interaction (UI:N). The scope is unchanged (S:U), and while confidentiality is not impacted (C:N), integrity and availability are both highly impacted (I:H, A:H). The exploitability is functional (E:F), with official remediation (RL:O) and confirmed fix (RC:C) status. Although no known exploits are currently observed in the wild, the vulnerability could allow an attacker to gain elevated privileges by exploiting improper symbolic link handling, potentially leading to system compromise or denial of service. This vulnerability specifically affects Windows 10 Version 1809, which is an older but still in-use version of Windows 10, often found in enterprise environments where upgrade cycles are slower.

For European organizations, this vulnerability poses a significant risk, especially for those still running Windows 10 Version 1809 in their infrastructure. Successful exploitation could allow an attacker with limited local access to escalate privileges to higher levels, potentially gaining administrative control over affected systems. This could lead to unauthorized modification or deletion of critical files, disruption of services, or further lateral movement within networks. Sectors such as finance, healthcare, manufacturing, and government agencies, which often have legacy systems and sensitive data, could be particularly impacted. The lack of confidentiality impact reduces the risk of data leakage directly from this vulnerability, but the high impact on integrity and availability could disrupt business operations and compromise system reliability. Additionally, since the attack requires local access, insider threats or attackers who have already compromised lower-privilege accounts could leverage this vulnerability to deepen their foothold.

To mitigate this vulnerability, European organizations should prioritize patching affected systems by applying the official security updates from Microsoft as soon as they become available. Since no patch links are currently provided, organizations should monitor Microsoft’s security advisories closely. In the interim, organizations should restrict local access to critical systems, enforce the principle of least privilege rigorously, and audit user permissions to minimize the number of accounts with local access. Employing application whitelisting and endpoint detection and response (EDR) solutions can help detect suspicious activities related to symbolic link manipulation. Additionally, organizations should consider upgrading from Windows 10 Version 1809 to a more recent, supported Windows version to reduce exposure to this and other legacy vulnerabilities. Regularly reviewing and hardening file system permissions and monitoring for unusual file system link creations can also reduce risk.