Windows 11 sandbox flaw lets attackers escape with one click

SafeBreach Labs has uncovered a Windows 11 sandbox escape vulnerability dubbed Click Or Trick. Microsoft assigned the issue CVE-2025-59199 and fixed it in October 2025.

The research describes a one-click attack that starts from a low-integrity process and achieves arbitrary write and escalated code execution by chaining built-in Windows components. The method relies on a spoofed notification click rather than dropped malware or third-party tools.

At the centre of the technique is Windows Mandatory Integrity Control, which separates processes running under the same user account into different trust levels. Low-integrity processes are commonly used as a sandbox boundary in browsers and other applications, limiting what compromised code can access even when it runs under a valid user identity.

The researchers began by looking for COM objects that a low-integrity process could still activate. They focused on LocalServer32 COM servers, which run in a separate process and can create opportunities for actions outside the original sandbox.

The team found an AppID with an undocumented flag that allowed a low-integrity process to launch a medium-integrity server process using the user's unmodified logon token. This gave the researchers a way to trigger actions at a higher integrity level without first breaking out through a conventional privilege escalation route.

From there, they examined a COM object linked to Windows edition upgrade functions and identified a ShowToast function. This allowed them to generate toast notifications on behalf of other applications while also controlling a launch command appended when the user clicked the notification.

The work then shifted to app identities used by Windows applications. The researchers found that some applications would accept appended command-line parameters when launched through those notifications, opening a route to steer built-in software into carrying out attacker-controlled actions.

One early test used Winget, the Windows package manager, to install software selected by the attacker after a single click. That was not enough for a complete escape because it did not directly provide arbitrary code execution.

Snipping Tool route

A more useful path came from Snipping Tool, which in Windows 11 can be launched with URI-based parameters. The researchers said the tool's documented discover endpoint includes a redirect-uri argument that can send a callback to another registered application.

That behaviour allowed them to move execution from the spoofed notification into Snipping Tool and then to a second URI target chosen by the attacker. In practice, this meant a low-integrity application could, after one user click, trigger a medium-integrity launch of another registered Windows application.

The team first tested file:// URIs. It found that interpreted files such as Python scripts could be run this way if stored in the LocalLow folder, one of the few writable locations available to low-integrity processes. Native executables and batch files, however, were blocked by the way Windows handled file association checks.

That led the researchers to search for a different URI target. They settled on Microsoft Teams because the desktop client is based on Chromium and still exposed the Chromium --remote-debugging-port switch, which starts a Chrome DevTools Protocol server on a chosen local port.

Using a crafted ms-teams URI passed through Snipping Tool's redirect mechanism, they were able to inject that switch. Once Teams opened with remote debugging enabled, the researchers used Chrome DevTools Protocol commands to change the download directory and download a file into a location outside the sandbox, creating an arbitrary write primitive.

Native chain

The full chain crossed several Windows subsystems that are rarely analysed together in a single exploit path, including COM activation, app identity handling, toast notifications, URI handlers, Snipping Tool and Chromium remote debugging. None of those elements alone would typically be seen as a clear sandbox escape path, but together they produced a workable route beyond the low-integrity boundary.

The attack used only applications and services already present on a standard Windows 11 installation. SafeBreach Labs argued that this makes defensive detection harder because the activity can appear to be normal operating system behaviour rather than the launch of foreign binaries.

The vulnerability received a CVSS score of 7.8. SafeBreach Labs disclosed the findings to Microsoft, which addressed the issue in October 2025.

The researchers framed the finding as a reminder that operating system security can be weakened by interactions between trusted components rather than by a single obvious flaw. "This research demonstrates the dangers that hide in the current practice of introducing too many complex applications as part of an operating system. Every dependency and application shipped with your product - whether an operating system, an application, or a website - expands the attack surface and should be reviewed accordingly," said SafeBreach Labs.