Support Crack-Vault and help us keep providing free tools. Every donation counts! (BTC) Address: bc1qhhva8uplmkaa3kkwxnux9t3y6l6kmhnwqzktzn

CVE-2025-48799 – Local Privilege Escalation

NikolasHume

CVE-2025-48799 – Local Privilege Escalation in Windows Update Service

CVE ID: CVE‑2025‑48799
Affected System: Microsoft Windows Update Service (wuauserv)
Operating Systems: Windows 10 & 11 (multiple versions)
Vulnerability Type: Local Privilege Escalation (Improper Link Resolution / Symlink Attack)
CVSS v3.1 Score: 7.8 (High)

📝 Overview

CVE-2025-48799 is a local privilege escalation vulnerability in the Windows Update Service (wuauserv) on Windows 10 and 11 PCs configured with more than one physical or logical drive. By manipulating symbolic links during moltdrive file operations, a low-privileged user can coerce the Update Service to delete or manipulate arbitrary files or directories with SYSTEM privileges, enabling elevation of privilege.

🔍 Technical Insight

Storage Sense Configuration
The attacker reconfigures the default installation or application storage to a secondary drive using Storage Sense.
Arbitrary Deletion via Link-Following
During application installation, the Update Service deletes temporary folders on the designated drive. This delete operation incorrectly follows symbolic links created by the attacker—and because wuauserv checks the final destination with GetFinalPathByHandle, it deletes files outside its intended directory.
Privilege Escalation
By precisely planting symbolic links, the attacker causes the service (running as SYSTEM) to delete or modify protected files or directories, thereby achieving local privilege escalation (LPE).

The vulnerability is categorized under CWE-59: Improper Link Resolution Before File Access (“Link Following”) and corresponds to CAPEC-132: Symlink Attack .

💻 Proof of Concept

The GitHub repository by Wh04m1001 hosts a fully functional C/C++ PoC that demonstrates this vulnerability:

Constructs folders on secondary drives.
Creates symlinks pointing to sensitive directories.
Triggers the Update Service to perform the deletion.
Achieves SYSTEM-level file manipulation.

While not detailed file-by-file here, the repository includes both C and C++ source code that replicate the exploit steps.

🎯 Impact

Privileges Required: Low-privileged local user
Scope: Local only (not remotely exploitable)
Potential Consequences:
- Full SYSTEM-level access
- Unauthorized file deletion or modification
- Installation of malware or creation of backdoors
- Lateral movement within compromised environments

🛠️ Affected Versions

According to Vulmon, systems affected include:

Windows 10: 1607, 1809, 21H2, 22H2
Windows 11: 22H2, 23H2, 24H2
Windows Server 2025 (core)

✅ Mitigation & Remediation

Patch Immediately: Install the July 2025 Windows security updates. 10
Restrict User Permissions: Minimize local account rights; avoid granting unnecessary write or link-creation permissions.
Monitor Endpoint Activities: Audit wuauserv activity and track file deletions and symlink deployments using EDR solutions.
Defensive Hardening: Apply strict file system permission policies, use AppLocker, and enforce controlled folder access where possible.

🧩 Relevance to Security Community

Symlink vulnerabilities like this highlight the importance of secure file system operations within privileged services. The CVE-2025-48799 exploit demonstrates that even trusted components like Windows Update can be manipulated when link-tracking and path sanitization are neglected. It also echoes techniques documented by ZDI in 2022 around abusing deletion routines via symlinks.

📚 References

GitHub PoC: Wh04m1001/CVE-2025-48799
Vulmon Vulnerability Summary
In-depth Feedly Threat Report
cvefeed.io Data Sheet
ZDI blog: “Abusing Arbitrary File Deletes…” (referenced in README)

🧠 Conclusion

CVE‑2025‑48799 underlines a critical logic flaw in Windows Update’s file handling process. Attackers with basic local access can potentially break containment by abusing symlinks, leading to SYSTEM-level compromise. It is crucial for administrators to deploy patches and reinforce file audit policies without delay.

📱

Download Now—Top Software, No Cost!