CVE-2025-21360 – This vulnerability in Microsoft AutoUpdate allo... (How to Fix)

Q: What is the severity of CVE-2025-21360?

CVE-2025-21360 has a CVSS score of 7.8 (HIGH). This vulnerability in Microsoft AutoUpdate allows local attackers to escalate privileges on affected macOS systems. An authenticated attacker could exploit this to gain root privileges, potentially compromising the entire system. Only macOS systems running Microsoft AutoUpdate are affected.

📋 TL;DR

This vulnerability in Microsoft AutoUpdate allows local attackers to escalate privileges on affected macOS systems. An authenticated attacker could exploit this to gain root privileges, potentially compromising the entire system. Only macOS systems running Microsoft AutoUpdate are affected.

💻 Affected Systems

Products:

Microsoft AutoUpdate for macOS

Versions: Versions prior to 4.90.24080.01

Operating Systems: macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects macOS installations of Microsoft AutoUpdate. Windows versions are not affected.

📦 What is this software?

Autoupdate by Microsoft

View all CVEs affecting Autoupdate →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with root access, enabling installation of persistent malware, data theft, and lateral movement across the network.

🟠

Likely Case

Local privilege escalation allowing attackers to bypass security controls, install unauthorized software, and access sensitive system resources.

🟢

If Mitigated

Limited impact if proper privilege separation and least privilege principles are already implemented.

🌐 Internet-Facing: LOW - Requires local access to the system, not directly exploitable over the internet.

🏢 Internal Only: HIGH - Local attackers or malware with user-level access can exploit this to gain full system control.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access and user-level privileges to exploit. No public exploit code available at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Microsoft AutoUpdate 4.90.24080.01 or later

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21360

Restart Required: No

Instructions:

1. Open Microsoft AutoUpdate on macOS. 2. Check for updates. 3. Install version 4.90.24080.01 or later. 4. Verify the update completed successfully.

🔧 Temporary Workarounds

Disable Microsoft AutoUpdate

macOS

Temporarily disable Microsoft AutoUpdate to prevent exploitation while planning for patching

sudo launchctl unload /Library/LaunchDaemons/com.microsoft.autoupdate.helper.plist
sudo launchctl unload /Library/LaunchAgents/com.microsoft.update.agent.plist

🧯 If You Can't Patch

Implement strict privilege separation and least privilege principles for all user accounts
Monitor for suspicious privilege escalation attempts using endpoint detection tools

🔍 How to Verify

Check if Vulnerable:

Check Microsoft AutoUpdate version in About Microsoft AutoUpdate dialog or via command line

Check Version:

defaults read /Library/Preferences/com.microsoft.autoupdate2.plist Version

Verify Fix Applied:

Verify Microsoft AutoUpdate version is 4.90.24080.01 or higher

📡 Detection & Monitoring

Log Indicators:

Unexpected privilege escalation events
Microsoft AutoUpdate process spawning with elevated privileges
Unauthorized changes to system files

Network Indicators:

Unusual outbound connections from Microsoft AutoUpdate processes

SIEM Query:

process_name:"Microsoft AutoUpdate" AND event_type:"privilege_escalation"

📊 Metadata

CVE ID: CVE-2025-21360

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-269

EPSS Score: 0.31% exploit probability (53.6th percentile)

Published: January 14, 2025

Last Updated: January 17, 2025

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21360 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-21360, you might also want to check these: