CVE-2025-59284 is a vulnerability categorized under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) affecting Microsoft Windows 11 version 22H2 (build 10.0.22621.0). The issue arises from the Windows NTLM authentication protocol implementation, where an unauthorized local attacker can perform spoofing to expose sensitive information. This vulnerability does not allow modification or destruction of data (no integrity or availability impact) but permits unauthorized disclosure of information. The attack vector is local (AV:L), requiring the attacker to have local access to the system, and user interaction is necessary (UI:R), which further limits exploitation. No privileges are required (PR:N), meaning any local user can attempt exploitation. The vulnerability scope is unchanged (S:U), indicating it affects only the vulnerable component without impacting other system components. The CVSS v3.1 base score is 3.3, reflecting low severity due to limited impact and exploitation complexity. No known exploits are currently reported in the wild, and no official patches have been published yet. The vulnerability was reserved in September 2025 and published in October 2025. The lack of patch links suggests mitigation is currently reliant on workarounds and security controls. The vulnerability could be leveraged by attackers with local access to perform NTLM spoofing attacks, potentially leading to unauthorized disclosure of sensitive data within the affected Windows environment.

For European organizations, the primary impact of CVE-2025-59284 is the potential unauthorized exposure of sensitive information on Windows 11 version 22H2 systems. Although the vulnerability does not affect system integrity or availability, information disclosure can lead to further reconnaissance by attackers, enabling more targeted attacks or lateral movement within networks. Organizations with high reliance on Windows 11 endpoints, especially in sectors handling sensitive or regulated data (e.g., finance, healthcare, government), could face compliance and privacy risks if sensitive data is leaked. The requirement for local access and user interaction reduces the likelihood of remote exploitation but does not eliminate insider threats or risks from compromised endpoints. The absence of known exploits in the wild lowers immediate risk but does not preclude future exploitation attempts. Overall, the impact is moderate in terms of information security posture but could be significant if exploited in sensitive environments.

1. Restrict local access to Windows 11 version 22H2 systems to trusted users only, employing strict access controls and endpoint security measures. 2. Monitor NTLM authentication traffic and logs for unusual or suspicious spoofing attempts using advanced threat detection tools and SIEM solutions. 3. Educate users about the risks of local attacks requiring user interaction and enforce policies to prevent execution of untrusted code or scripts. 4. Implement network segmentation to limit lateral movement opportunities if an endpoint is compromised. 5. Apply the principle of least privilege to reduce the number of users with local access rights. 6. Stay alert for official patches or security advisories from Microsoft and plan prompt deployment once available. 7. Consider disabling or restricting NTLM usage where feasible, migrating to more secure authentication protocols like Kerberos. 8. Use endpoint detection and response (EDR) solutions to detect and respond to suspicious local activities related to NTLM spoofing. These measures go beyond generic advice by focusing on local access control, monitoring specific to NTLM behavior, and user interaction risk reduction.