CVE-2025-21204: SYSTEM-Level Privilege Escalation in Windows Update Stack Exposed, PoC Released
Ddos 
Image: Elli Shlomo
Security researcher Elli Shlomo published the technical details and a proof-of-concept exploit code for CVE-2025-21204, a severe local privilege escalation flaw within the Windows Update Stack, leveraging symbolic links and directory junctions to bypass standard access controls and execute arbitrary code with SYSTEM-level privileges.
The issue resides in how Windows handles update-related processes—particularly those tied to executables like MoUsoCoreWorker.exe and UsoClient.exe. These processes, responsible for checking, downloading, and installing updates, run as SYSTEM and routinely access the directory: C:\ProgramData\Microsoft\UpdateStack\Tasks.
Under normal conditions, this path is assumed secure. However, as Shlomo’s research demonstrates, this trust is dangerously misplaced. Under vulnerable configurations, these processes may trust and execute files from this location without validating their origin, integrity, or ACLs.
In an example of trusted path abuse, attackers—even those without administrative rights—can hijack the update mechanism by:
- Planting a payload (script, DLL, or binary)
- Deleting the legitimate Tasks directory
- Replacing it with a junction pointing to a user-controlled location
- Waiting for or triggering an update scan
Once the SYSTEM-level updater follows the hijacked path, it executes the attacker’s payload, elevating privileges silently—without tripping over AMSI, Defender, or WDAC.
Shlomo’s PowerShell-based exploit demonstrates the full chain:
- A malicious payload (updatehelper.ps1) is dropped in C:\inetpub\wwwroot, adding a new local admin.
- The legitimate Tasks directory is deleted and replaced with a junction.
- The script waits for update processes like TiWorker.exe or UsoClient.exe.
- Upon detection, the redirection takes effect, and SYSTEM unknowingly runs the attacker’s code.
Notably, the exploit uses only native Windows functionality—no compilation or external binaries—making it stealthy and effective.
After the April 2025 cumulative update (KB5055523), many users noticed the sudden appearance of an unexpected directory: C:\inetpub.
Traditionally tied to IIS, its presence puzzled users. Microsoft later clarified: its creation is intentional, forming part of the mitigation for CVE-2025-21204. By pre-creating directories like C:\inetpub, Microsoft hardens the update process against symlink attacks by eliminating the attacker-controlled creation window.
Donate