A serious security flaw has been discovered in Microsoft’s Internet Information Services (IIS) that lets attackers run arbitrary code without logging in.
The vulnerability affects the IIS Inbox COM Objects and stems from improper handling of shared memory and objects that have been freed.
Attackers who can reach the server and exploit this flaw could gain full control of the system, potentially stealing data or installing malware.
On October 14, 2025, Microsoft publicly disclosed a remote code execution vulnerability in the IIS Inbox COM Objects.
This flaw is tracked as CVE-2025-59282 and is rated “Important.” It stems from a race condition and use-after-free weakness that allows attackers to trigger execution of code in the context of the IIS process.
No authentication is required, so any unauthenticated attacker with network access to an affected server can exploit it.
Microsoft assigned itself as the CNA (CVE Numbering Authority) and provided the full details of the fault.
The company also published a security bulletin outlining recommended updates and mitigation steps. Administrators are urged to apply the patches immediately to avoid being compromised.
Details of the Vulnerability
The root cause of CVE-2025-59282 lies in two specific weaknesses defined by MITRE:
- CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization)
- CWE-416 (Use After Free)
These weaknesses occur within the IIS Inbox COM Objects, which handle certain global memory operations.
When an attacker sends specially crafted requests, they can manipulate the timing of object creation and deletion.
This leads to execution of attacker-supplied code in memory regions that the IIS process mistakenly believes are safe.
Microsoft’s own CVSS 3.1 assessment assigns a base score of 7.0 and a temporal score of 6.1. The vector string is CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C.
The high impact metrics indicate full loss of confidentiality, integrity, and availability if exploited.
Administrators should review their servers and immediately download the security update from Microsoft’s official site.
Applying the provided patch closes the race condition and corrects the use-after-free error. Until the patch is applied, network firewalls can limit access to port 80 and port 443 to trusted hosts only, reducing exposure.
Monitoring logs for unusual IIS activity is also recommended. Any unexpected requests targeting COM objects or irregular process crashes should be treated as potential exploitation attempts.
| CVE | Vulnerability | Released | Assigning CNA | Impact |
| CVE-2025-59282 | Internet Information Services (IIS) Inbox COM Objects (Global Memory) RCE | Oct 14, 2025 | Microsoft | Remote Code Execution |
In addition, running web servers with the minimum required privileges can limit damage if an attacker does manage to execute code.
By swiftly applying the update and tightening network controls, organizations can protect their IIS servers from this high-risk flaw.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
