SafeBreach Labs has uncovered a new one-click sandbox escape technique in Windows 11 that allows an attacker to achieve escalated code execution and arbitrary write from a low-integrity process with nothing more than a single user click.
The research shows how multiple legitimate Windows features can be chained together to achieve arbitrary write outside the sandbox, including COM objects, toast notifications, Snipping Tool URI handlers, Microsoft Teams, and Chromium’s remote debugging functionality. The attack requires only a single user click on a spoofed notification and does not rely on dropping traditional malware or third-party tools.
The SafeBreach Labs team is available to discuss:
- How undocumented COM AppID flags allowed low-integrity processes to launch medium-integrity server processes.
- The abuse of Windows notifications and URI handlers to execute attacker-controlled actions outside the sandbox boundary.
- How Microsoft Teams and Chromium debugging functionality were leveraged to achieve arbitrary write using only native Windows applications.
- Why chaining together legitimate operating system components creates dangerous attack paths that are difficult for defenders to detect.
Click Or Trick (CVE-2025-59199): Escaping the Sandbox with Windows URIs: https://www.safebreach.com/blog/click-or-trick-cve-2025-59199-escaping-the-sandbox-with-windows-uris/
Related
This entry was posted on May 28, 2026 at 8:10 am and is filed under Commentary with tags SafeBreach. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Click Or Trick (CVE-2025-59199): Escaping the Sandbox with Windows URIs
SafeBreach Labs has uncovered a new one-click sandbox escape technique in Windows 11 that allows an attacker to achieve escalated code execution and arbitrary write from a low-integrity process with nothing more than a single user click.
The research shows how multiple legitimate Windows features can be chained together to achieve arbitrary write outside the sandbox, including COM objects, toast notifications, Snipping Tool URI handlers, Microsoft Teams, and Chromium’s remote debugging functionality. The attack requires only a single user click on a spoofed notification and does not rely on dropping traditional malware or third-party tools.
The SafeBreach Labs team is available to discuss:
Click Or Trick (CVE-2025-59199): Escaping the Sandbox with Windows URIs: https://www.safebreach.com/blog/click-or-trick-cve-2025-59199-escaping-the-sandbox-with-windows-uris/
Share this:
Like this:
Related
This entry was posted on May 28, 2026 at 8:10 am and is filed under Commentary with tags SafeBreach. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.