CVE-2025-59509: 
vulnerability analysis and mitigation

A Windows Speech Recognition Information Disclosure Vulnerability (CVE-2025-59509) was disclosed on November 11, 2025. The vulnerability affects various versions of Microsoft Windows operating systems, including Windows 10, Windows 11, and Windows Server editions. The issue stems from the insertion of sensitive information into sent data in Windows Speech, which could allow an authorized attacker to disclose information locally (NVD, Rapid7).

The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. This indicates that the vulnerability requires local access, low attack complexity, low privileges, and no user interaction. The vulnerability is classified under CWE-201 (Insertion of Sensitive Information Into Sent Data) (NVD).

The vulnerability primarily affects the confidentiality of the system, with no direct impact on integrity or availability. If successfully exploited, an authorized attacker could access and disclose sensitive information locally on the affected system (NVD).

Microsoft has released security updates to address this vulnerability across affected versions of Windows. The patches are available through various KB articles including KB5068791 for Windows 10 1809, KB5068781 for Windows 10 21H2/22H2, KB5068865 for Windows 11 23H2, and KB5068861 for Windows 11 24H2/25H2 (Rapid7).