![[The AI Show Episode 144]: ChatGPT’s New Memory, Shopify CEO’s Leaked “AI First” Memo, Google Cloud Next Releases, o3 and o4-mini Coming Soon & Llama 4’s Rocky Launch](https://www.marketingaiinstitute.com/hubfs/ep%20144%20cover.png)
![From fast food worker to cybersecurity engineer with Tae'lur Alexis [Podcast #169]](https://cdn.hashnode.com/res/hashnode/image/upload/v1745242807605/8a6cf71c-144f-4c91-9532-62d7c92c0f65.png?#)
![BPMN-procesmodellering [closed]](https://i.sstatic.net/l7l8q49F.png)
.jpg?#)
.jpg?#)
.webp?#)
![CarPlay app with web browser for streaming video hits App Store [U]](https://i0.wp.com/9to5mac.com/wp-content/uploads/sites/6/2024/11/carplay-apple.jpeg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![What’s new in Android’s April 2025 Google System Updates [U: 4/21]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2025/01/google-play-services-3.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![Apple Releases iOS 18.5 Beta 3 and iPadOS 18.5 Beta 3 [Download]](https://www.iclarified.com/images/news/97076/97076/97076-640.jpg)
![Apple Seeds visionOS 2.5 Beta 3 to Developers [Download]](https://www.iclarified.com/images/news/97077/97077/97077-640.jpg)
![Apple Seeds tvOS 18.5 Beta 3 to Developers [Download]](https://www.iclarified.com/images/news/97078/97078/97078-640.jpg)
![Apple Seeds watchOS 11.5 Beta 3 to Developers [Download]](https://www.iclarified.com/images/news/97079/97079/97079-640.jpg)
Critical Windows Update Stack Vulnerability Allows Code Execution & Privilege Escalation
A security flaw has been identified in the Windows Update Stack, exposing millions of Windows systems to the risk of unauthorized code execution and privilege escalation. Tracked as CVE-2025-21204, this vulnerability allows local attackers to gain SYSTEM-level access by manipulating trusted update processes, bypassing standard security controls. The issue impacts a broad range of Windows […] The post Critical Windows Update Stack Vulnerability Allows Code Execution & Privilege Escalation appeared first on Cyber Security News.
A security flaw has been identified in the Windows Update Stack, exposing millions of Windows systems to the risk of unauthorized code execution and privilege escalation.
Tracked as CVE-2025-21204, this vulnerability allows local attackers to gain SYSTEM-level access by manipulating trusted update processes, bypassing standard security controls.
The issue impacts a broad range of Windows 10, Windows 11, and Windows Server versions, making it a significant threat to both enterprise and personal users.
Windows Update Stack Vulnerability – CVE-2025-21204
The vulnerability, which carries a CVSS score of 7.8 (High), targets the Windows Update Stack components, specifically the MoUsoCoreWorker.exe and UsoClient.exe processes that run with SYSTEM privileges.
Unlike complex exploits requiring sophisticated techniques, CVE-2025-21204 represents what security experts call a “quiet privilege escalation vulnerability” that blends into normal OS behavior by abusing trust rather than exploiting memory corruption.
“This CVE is a masterclass in path abuse, trusted location redirection, and privilege escalation using native components — everything a red team loves and a blue team fears,” Cyberdom said to Cyber Security News.
The attack vector exploits a design flaw where Windows Update Stack processes improperly follow directory junctions (also known as NTFS mount points or symbolic links) and execute scripts from user-controlled paths without validating their origins or enforcing privilege boundaries.
An attacker with limited user privileges can create a junction that redirects the trusted path C:\ProgramData\Microsoft\UpdateStack\Tasks to a location containing malicious code.
When Windows Update processes like MoUsoCoreWorker.exe run as scheduled, they follow these junctions to the attacker-controlled location and execute the malicious code with SYSTEM privileges.
This exploitation technique requires no code injection or memory manipulation, making it particularly difficult to detect using traditional security tools.
Risk Factors Details Affected Products Windows 10 Version 1507 (10.0.10240.0 < 10.0.10240.20978), Windows 10 Version 1607 (10.0.14393.0 < 10.0.14393.7970), Windows 10 Version 1809 (10.0.17763.0 < 10.0.17763.7137); likely other supported Windows 10/11 and Windows Server versions Impact Local privilege escalation, Code execution Exploit Prerequisites Attacker must have local access and limited user privileges on the target system; no user interaction required CVSS 3.1 Score 7.8 (High)
Mitigations
Microsoft’s April 2025 cumulative update (KB5055523) addresses the vulnerability with an unusual mitigation strategy that includes creating a new folder at the root of system drives: C:\inetpub.
Though typically associated with Internet Information Services (IIS), this folder’s appearance is intentional even on systems without IIS installed.
It serves as part of Microsoft’s security improvement to pre-create certain directories and harden the update process against symbolic link attacks.
Security analysts have developed detection rules to identify potential exploitation attempts, focusing on suspicious junction creations targeting the Windows Update Stack paths and monitoring for unusual file operations involving the Microsoft\UpdateStack directory.
Organizations should implement the following mitigations:
- Apply the April 2025 security updates immediately
- Restrict ACLs on C:\ProgramData\Microsoft\UpdateStack
- Prevent symbolic link creation using AppLocker or Windows Defender Application Control (WDAC)
- Monitor file creation activities in inetpub directories, regardless of whether IIS is installed
The vulnerability exemplifies a growing trend of threat actors exploiting implicit trust in file systems rather than relying on complex memory corruption techniques.
Security experts warn that such “low-level” CVEs often have outsized impacts despite their seemingly simpler exploitation methods.
This vulnerability appears alongside 124 other CVEs fixed in Microsoft’s April 2025 Patch Tuesday release, one of which (CVE-2025-29824) is already being actively exploited in the wild.
“This CVE doesn’t just reveal a vulnerability — it highlights how complex and fragile trusted execution paths can be in modern Windows environments,” explained researchers.
“For attackers, it’s a low-noise SYSTEM shell. For defenders, it’s a blueprint for what file-based LPEs look like in the real world.”
Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy
The post Critical Windows Update Stack Vulnerability Allows Code Execution & Privilege Escalation appeared first on Cyber Security News.
