CVE-2025-48799 – Local Privilege Escalation in Windows Update Service
CVE ID: CVE‑2025‑48799
Affected System: Microsoft Windows Update Service (wuauserv)
Operating Systems: Windows 10 & 11 (multiple versions)
Vulnerability Type: Local Privilege Escalation (Improper Link Resolution / Symlink Attack)
CVSS v3.1 Score: 7.8 (High)
📝 Overview
CVE-2025-48799 is a local privilege escalation vulnerability in the Windows Update Service (wuauserv
) on Windows 10 and 11 PCs configured with more than one physical or logical drive. By manipulating symbolic links during moltdrive file operations, a low-privileged user can coerce the Update Service to delete or manipulate arbitrary files or directories with SYSTEM privileges, enabling elevation of privilege.
🔍 Technical Insight
- Storage Sense Configuration
The attacker reconfigures the default installation or application storage to a secondary drive using Storage Sense.
- Arbitrary Deletion via Link-Following
During application installation, the Update Service deletes temporary folders on the designated drive. This delete operation incorrectly follows symbolic links created by the attacker—and because wuauserv
checks the final destination with GetFinalPathByHandle
, it deletes files outside its intended directory.
- Privilege Escalation
By precisely planting symbolic links, the attacker causes the service (running as SYSTEM) to delete or modify protected files or directories, thereby achieving local privilege escalation (LPE).
The vulnerability is categorized under CWE-59: Improper Link Resolution Before File Access (“Link Following”) and corresponds to CAPEC-132: Symlink Attack .
💻 Proof of Concept
The GitHub repository by Wh04m1001 hosts a fully functional C/C++ PoC that demonstrates this vulnerability:
- Constructs folders on secondary drives.
- Creates symlinks pointing to sensitive directories.
- Triggers the Update Service to perform the deletion.
- Achieves SYSTEM-level file manipulation.
While not detailed file-by-file here, the repository includes both C and C++ source code that replicate the exploit steps.
🎯 Impact
- Privileges Required: Low-privileged local user
- Scope: Local only (not remotely exploitable)
- Potential Consequences:
- Full SYSTEM-level access
- Unauthorized file deletion or modification
- Installation of malware or creation of backdoors
- Lateral movement within compromised environments
🛠️ Affected Versions
According to Vulmon, systems affected include:
- Windows 10: 1607, 1809, 21H2, 22H2
- Windows 11: 22H2, 23H2, 24H2
- Windows Server 2025 (core)
✅ Mitigation & Remediation
- Patch Immediately: Install the July 2025 Windows security updates. 10
- Restrict User Permissions: Minimize local account rights; avoid granting unnecessary write or link-creation permissions.
- Monitor Endpoint Activities: Audit
wuauserv
activity and track file deletions and symlink deployments using EDR solutions.
- Defensive Hardening: Apply strict file system permission policies, use AppLocker, and enforce controlled folder access where possible.
🧩 Relevance to Security Community
Symlink vulnerabilities like this highlight the importance of secure file system operations within privileged services. The CVE-2025-48799 exploit demonstrates that even trusted components like Windows Update can be manipulated when link-tracking and path sanitization are neglected. It also echoes techniques documented by ZDI in 2022 around abusing deletion routines via symlinks.
📚 References
- GitHub PoC: Wh04m1001/CVE-2025-48799
- Vulmon Vulnerability Summary
- In-depth Feedly Threat Report
- cvefeed.io Data Sheet
- ZDI blog: “Abusing Arbitrary File Deletes…” (referenced in README)
🧠 Conclusion
CVE‑2025‑48799 underlines a critical logic flaw in Windows Update’s file handling process. Attackers with basic local access can potentially break containment by abusing symlinks, leading to SYSTEM-level compromise. It is crucial for administrators to deploy patches and reinforce file audit policies without delay.