A high-severity vulnerability (CVE-2025-21204) in the Windows Update Stack has been disclosed, enabling local attackers to execute arbitrary code with SYSTEM privileges by exploiting trusted update processes.
This flaw impacts multiple Windows 10/11 and Server versions, posing risks to enterprises and individual users alike.
Vulnerability Overview
| Aspect | Details |
|---|---|
| CVE ID | CVE-2025-21204 |
| CVSS 3.1 Score | 7.8 (High) |
| Affected Systems | Windows 10 (1507, 1607, 1809), Windows 11, Windows Server 2019/2025 |
| Impact | Local privilege escalation, SYSTEM-level code execution |
| Exploit Complexity | Low; no memory corruption or user interaction required |
Exploitation Mechanism
The vulnerability stems from improper handling of directory junctions in the Windows Update Stack. Attackers with limited user privileges can redirect the trusted path C:\ProgramData\Microsoft\UpdateStack\Tasks to a malicious location using symbolic links.
When SYSTEM-level processes like MoUsoCoreWorker.exe access this path, they execute attacker-controlled payloads, bypassing security checks.
Security analysts describe this as a “quiet privilege escalation” flaw, leveraging implicit trust in file systems rather than complex exploits.
As noted by Cyberdom researchers.
Mitigation Strategies
| Action | Details |
|---|---|
| Apply Patches | Install April 2025 cumulative update (KB5055523). |
| Restrict Directory Permissions | Tighten ACLs on C:\ProgramData\Microsoft\UpdateStack. |
| Monitor File Activity | Detect junction creation in UpdateStack paths and C:\inetpub. |
| Enforce Least Privilege | Use AppLocker or WDAC to block symbolic link creation. |
Microsoft’s patch introduces a preemptive security measure by creating C:\inetpub on all systems, even those without IIS, to deter symbolic link attacks.
Broader Implications
CVE-2025-21204 highlights the growing trend of exploiting filesystem trust over memory corruption. It was among 124 vulnerabilities addressed in Microsoft’s April 2025 Patch Tuesday, which also included fixes for an actively exploited CLFS zero-day (CVE-2025-29824).
Security teams are urged to prioritize patching and audit directory permissions to mitigate risks from such “low-level” yet high-impact flaws.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
%20(2)%20(1).webp?resize=1600,900&ssl=1&description=This flaw impacts multiple Windows 10/11 and Server versions, posing risks to enterprises and individual users alike.){kind=link}