CVE-2025-29800
📋 TL;DR
CVE-2025-29800 is a local privilege escalation vulnerability in Microsoft AutoUpdate (MAU) that allows authenticated attackers to gain elevated system privileges. This affects macOS systems running vulnerable versions of MAU. Attackers must already have local user access to exploit this vulnerability.
💻 Affected Systems
- Microsoft AutoUpdate (MAU)
📦 What is this software?
Autoupdate by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
An attacker with standard user privileges could gain root/system-level access, enabling complete system compromise, data theft, malware persistence, and lateral movement across the network.
Likely Case
Malicious insiders or attackers who have already compromised a user account could elevate privileges to install persistent malware, disable security controls, or access sensitive data.
If Mitigated
With proper privilege separation and endpoint protection, the impact is limited to the compromised user account without system-wide compromise.
🎯 Exploit Status
Requires local authenticated access. The CWE-269 (Improper Privilege Management) suggests the vulnerability involves improper privilege handling that could be exploited through standard user actions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Specific version not yet published in advisory - check Microsoft Security Response Center for latest
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-29800
Restart Required: Yes
Instructions:
1. Open Microsoft AutoUpdate on macOS. 2. Check for updates. 3. Install available updates. 4. Restart the system if prompted. Alternatively, update through Microsoft 365 apps or download from Microsoft's official site.
🔧 Temporary Workarounds
Disable Microsoft AutoUpdate
macOSTemporarily disable MAU to prevent exploitation while awaiting patch deployment
sudo launchctl unload /Library/LaunchDaemons/com.microsoft.autoupdate.helper.plist
sudo launchctl unload /Library/LaunchAgents/com.microsoft.update.agent.plist
Restrict MAU Execution
macOSUse macOS privacy controls to restrict MAU execution or network access
🧯 If You Can't Patch
- Implement strict privilege separation - ensure users operate with minimal necessary privileges
- Deploy endpoint detection and response (EDR) solutions to monitor for privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check MAU version: Open Microsoft AutoUpdate → About Microsoft AutoUpdate. Compare version against patched version in Microsoft advisory.Check Version:
defaults read /Library/Preferences/com.microsoft.autoupdate2.plist VersionVerify Fix Applied:
Verify MAU is updated to patched version and check system logs for any privilege escalation attempts post-update.📡 Detection & Monitoring
Log Indicators:
- Unusual privilege escalation events in system logs
- MAU process spawning with elevated privileges unexpectedly
- Authentication logs showing user privilege changes
Network Indicators:
- MAU communicating with unusual endpoints or at unusual times
SIEM Query:
Process creation where parent_process contains 'Microsoft AutoUpdate' and (process_name contains 'sudo' OR process_name contains 'launchctl' OR integrity_level changed)