CVE-2025-10213 – This DLL search path hijacking vulnerability in... (How to Fix)

Q: What is the severity of CVE-2025-10213?

CVE-2025-10213 has a CVSS score of 7.8 (HIGH). This DLL search path hijacking vulnerability in UPDF.exe allows attackers with local access to execute arbitrary code by placing a malicious dxtn.dll file in a specific Windows directory. The vulnerability affects Windows users running UPDF version 1.8.5.0, potentially leading to system compromise and persistence.

📋 TL;DR

This DLL search path hijacking vulnerability in UPDF.exe allows attackers with local access to execute arbitrary code by placing a malicious dxtn.dll file in a specific Windows directory. The vulnerability affects Windows users running UPDF version 1.8.5.0, potentially leading to system compromise and persistence.

💻 Affected Systems

Products:

UPDF

Versions: 1.8.5.0

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires attacker to have write access to C:\Users\<user>\AppData\Local\Microsoft\WindowsApps\ directory

📦 What is this software?

Updf by Updf

View all CVEs affecting Updf →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining persistence, data exfiltration, and lateral movement capabilities.

🟠

Likely Case

Local privilege escalation leading to unauthorized access to sensitive files and system resources.

🟢

If Mitigated

Limited impact with proper file permissions and application whitelisting preventing DLL execution.

🌐 Internet-Facing: LOW - Requires local access to the system, not directly exploitable over network.

🏢 Internal Only: HIGH - Local attackers or malware with user-level access can exploit this for privilege escalation.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access and ability to place DLL in specific directory. Simple DLL hijacking technique.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-updf

Restart Required: No

Instructions:

Check vendor website for updated version. Uninstall vulnerable version and install patched version when available.

🔧 Temporary Workarounds

Restrict write permissions to WindowsApps directory

windows

Remove write permissions for non-administrative users to the vulnerable directory

icacls "C:\Users\%USERNAME%\AppData\Local\Microsoft\WindowsApps" /deny Users:(OI)(CI)W

Remove vulnerable UPDF version

windows

Uninstall UPDF version 1.8.5.0 until patched version is available

appwiz.cpl

🧯 If You Can't Patch

Implement application whitelisting to prevent execution of unauthorized DLLs
Monitor for DLL files being created in C:\Users\*\AppData\Local\Microsoft\WindowsApps\ directory

🔍 How to Verify

Check if Vulnerable:

Check UPDF version in About dialog or via Control Panel > Programs and Features. Version 1.8.5.0 is vulnerable.

Check Version:

wmic product where name="UPDF" get version

Verify Fix Applied:

Verify UPDF version is updated beyond 1.8.5.0. Check vendor advisory for specific patched version.

📡 Detection & Monitoring

Log Indicators:

File creation events for dxtn.dll in WindowsApps directory
Process creation events for UPDF.exe loading unexpected DLLs

Network Indicators:

Unusual outbound connections from UPDF.exe process

SIEM Query:

source="windows" AND (event_id=11 AND file_path="*WindowsApps*dxtn.dll") OR (event_id=4688 AND process_name="UPDF.exe")

📊 Metadata

CVE ID: CVE-2025-10213

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-427

EPSS Score: 0.01% exploit probability (1.5th percentile)

Published: September 10, 2025

Last Updated: January 29, 2026

🔗 References

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-updf Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-10213, you might also want to check these: