A local privilege escalation vulnerability, CVE-2025-21204, in the Windows Update Stack has been discovered. It allows an authorized attacker to elevate privileges by exploiting improper link resolution before file access. Review this Cybersecurity Threat Advisory to mitigate your risk.
What is the threat?
CVE-2025-21204 can be exploited by using directory junctions or symbolic links to hijack trusted paths accessed by SYSTEM-level processes like MoUsoCoreWorker.exe and Technical Detail & Additional Information. Upon successful exploitation, attackers can escalate privileges, bypass security mechanisms, and enable arbitrary code execution.
It affects various versions of Windows 10, Windows 11, and Windows Server, posing a significant risk of impact from threat actors.
Why is it noteworthy?
This vulnerability poses substantial risks to organizations as non-admin users can escalate their privileges. Unlike more complex exploits that may require sophisticated techniques, CVE-2025-21204 is classified as a “quiet privilege escalation vulnerability.” It blends into normal operating system behavior by abusing trust rather than exploiting memory corruption. The exploitation method is stealthy and difficult to detect because it leverages file system behavior instead of traditional memory corruption techniques.
What is the exposure or risk?
The vulnerability affects various versions of Windows 10, Windows 11, and Windows Server. Given the widespread use of these operating systems, the potential exposure is significant. Once an attacker gains local access to the impacted system, it becomes difficult for detection.
What are the recommendations?
Barracuda strongly recommends organizations to take these additional steps to protect your operating systems against this threat:
- Apply security updates issued in Microsoft’s April 2025 cumulative update.
- Limit access to sensitive directories and files that are involved in the update process. This reduces the risk of unauthorized manipulation.
- Use tools such as AppLocker or Windows Defender Application Control (WDAC) to block the creation of symbolic links and directory.
- Track activities involving symbolic links, especially those related to the Microsoft\UpdateStack directory. This helps in identifying potential exploitation attempts.
- Observe unusual file activities in or around the inetpub directory. This can help detect malicious actions early.
- Conduct regular security audits and reviews of your systems to ensure compliance with security policies and to identify any vulnerabilities.
Reference
For more in-depth information about the recommendations, please visit the following link:
- CVE-2025-21204 – Security Update Guide – Microsoft – Windows Process Activation Elevation of Privilege Vulnerability
- Windows Update Stack Privilege Escalation Vulnerability (CVE-2025-21204) – PoC Released – Intrucept
- Abusing the Windows Update Stack to Gain SYSTEM Access (CVE-2025-21204)
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.