CVE-2025-21204
📋 TL;DR
This vulnerability allows an authorized attacker with local access to exploit improper link resolution in the Windows Update Stack to elevate privileges. It affects Windows systems where an attacker can create symbolic links to trick the update process into accessing unintended files. Users with standard privileges could potentially gain SYSTEM-level access.
💻 Affected Systems
- Microsoft Windows Update Stack
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 23h2 by Microsoft
Windows 11 24h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
An attacker gains full SYSTEM privileges on the compromised Windows machine, enabling complete control, data theft, persistence mechanisms, and lateral movement capabilities.
Likely Case
Local privilege escalation from a standard user account to SYSTEM or administrator privileges, allowing installation of malware, credential harvesting, and bypassing security controls.
If Mitigated
With proper access controls and monitoring, impact is limited to isolated systems with minimal lateral movement potential.
🎯 Exploit Status
Exploit requires local access and ability to create symbolic links. Detection scripts and mitigation guidance are publicly available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Microsoft Security Update Guide for specific KB numbers
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21204
Restart Required: Yes
Instructions:
1. Apply latest Windows security updates from Microsoft. 2. Ensure Windows Update service is running. 3. Restart system after patch installation.
🔧 Temporary Workarounds
Restrict symbolic link creation
windowsLimit ability to create symbolic links to trusted administrators only
Use Group Policy: Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Create symbolic links
Monitor symbolic link creation
windowsEnable auditing for symbolic link creation events
auditpol /set /subcategory:"File System" /success:enable /failure:enable
🧯 If You Can't Patch
- Implement strict access controls to limit who can create symbolic links
- Monitor for unusual file system activity and symbolic link creation events
🔍 How to Verify
Check if Vulnerable:
Check Windows Update version against Microsoft advisory or use detection script from security researchersCheck Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify Windows Update KB patch is installed via 'wmic qfe list' or PowerShell 'Get-Hotfix'📡 Detection & Monitoring
Log Indicators:
- Event ID 4656 (File System Object Access) with symbolic link creation
- Unusual Windows Update process behavior
- Multiple failed privilege escalation attempts
Network Indicators:
- Local system activity only - no network indicators
SIEM Query:
EventID=4656 AND ObjectType="%%1890" AND ProcessName="*update*"🔗 References
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21204
- https://www.vicarius.io/vsociety/posts/cve-2025-21204-privilege-elevation-vulnerability-in-microsoft-windows-update-stack-detection-script
- https://www.vicarius.io/vsociety/posts/cve-2025-21204-privilege-elevation-vulnerability-in-microsoft-windows-update-stack-mitigation-script
