How to fix CVE-2025-68623?

Within 24 hours: Inventory all systems with DirectX End-User Runtime Web Installer 9.29.1974.0 and restrict installer execution to administrators only via Group Policy or application whitelisting. Within 7 days: Disable or remove the web installer where feasible and migrate to offline DirectX deployment methods; implement enhanced monitoring for privilege escalation attempts. Within 30 days: Evaluate alternative graphics runtime solutions, establish a formal patching process once Microsoft releases a fix, and conduct privilege escalation vulnerability assessments across the environment.

Is Microsoft affected by CVE-2025-68623?

CVE-2025-68623 affects Microsoft DirectX End-User Runtime Web Installer and allows low-privilege users to escalate privileges by replacing executable files during installation.

CVE-2025-68623

HIGH

2026-03-11 [email protected]

8.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:06 vuln.today

CVE Published

Mar 11, 2026 - 17:16 nvd

HIGH 8.8

Description

In Microsoft DirectX End-User Runtime Web Installer 9.29.1974.0, a low-privilege user can replace an executable file during the installation process, which may result in unintended elevation of privileges. During installation, the installer runs with HIGH integrity and downloads executables and DLLs to the %TEMP% folder - writable by standard users. Subsequently, the installer executes the downloaded executable with HIGH integrity to complete the application installation. However, an attacker can replace the downloaded executable with a malicious, user-controlled executable. When the installer executes this replaced file, it runs the attacker's code with HIGH integrity. Since code running at HIGH integrity can escalate to SYSTEM level by registering and executing a service, this creates a complete privilege escalation chain from standard user to SYSTEM. NOTE: The Supplier disputes this record stating that they have determined this to be the behavior as designed.

Analysis

Technical Context

Classified as CWE-284 (Improper Access Control). In Microsoft DirectX End-User Runtime Web Installer 9.29.1974.0, a low-privilege user can replace an executable file during the installation process, which may result in unintended elevation of privileges. During installation, the installer runs with HIGH integrity and downloads executables and DLLs to the %TEMP% folder - writable by standard users. Subsequently, the installer executes the downloaded executable with HIGH integrity to complete the application installation. However, an attacker ca

Affected Products

In Microsoft DirectX End-User Runtime Web Installer 9.29.1974.0, a low-privilege user can replace an executable file during the installation process,

Remediation

Monitor vendor advisories for a patch.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +44

POC: 0

CVE-2025-68623 vulnerability details – vuln.today

Back

CVE-2025-68623

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-68623

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code