EUVD-2025-17770
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Tags
Description
Improper link resolution before file access ('link following') in Windows Installer allows an authorized attacker to elevate privileges locally.
Analysis
Privilege escalation vulnerability in Windows Installer that exploits improper symlink/junction handling (CWE-59: link following) to allow an authorized local attacker to elevate privileges without user interaction. With a CVSS score of 7.8 and CVSS vector indicating local attack vector with low complexity and no user interaction required, this vulnerability affects Windows Installer across multiple versions. Real-world risk depends on KEV/CISA status and EPSS probability, which should be cross-referenced against active exploitation reports and POC availability.
Technical Context
This vulnerability exploits improper link resolution in Windows Installer (msiexec.exe and related MSI processing components), which fails to properly validate symbolic links or NTFS junctions before file access operations during package installation. CWE-59 (Link Following) describes the root cause: the application follows a link (symlink/junction) to a file without verifying the link's target is legitimate. Windows Installer processes MSI packages with SYSTEM privileges in certain contexts, creating a Time-of-Check-Time-of-Use (TOCTOU) window where an attacker can replace legitimate file paths with links pointing to sensitive system locations (e.g., %SystemRoot%, %ProgramFiles%, registry hives). The vulnerability is exacerbated because authorized users (PR:L in CVSS vector) can trigger MSI installations, and the installer's file operations are not confined by strict path validation or link-aware APIs.
Affected Products
Windows Installer components across Windows operating systems. Specific affected products typically include: Microsoft Windows (all supported versions—Windows 10, Windows 11, Windows Server 2016, 2019, 2022, and earlier versions still in extended support). The vulnerability affects msiexec.exe and the MSI engine (msi.dll, others). CPE would be expected to include cpe:2.3:a:microsoft:windows_installer:*:* or cpe:2.3:o:microsoft:windows:* (affected versions TBD by official advisory). Without access to official Microsoft security advisories or KB articles, specific version ranges cannot be definitively stated; however, all Windows versions using the vulnerable Windows Installer code path are in scope. Recommendation: Cross-reference Microsoft Security Advisory/KB article associated with CVE-2025-33075 for exact version matrix.
Remediation
1. PATCH: Apply Microsoft security updates addressing CVE-2025-33075 via Windows Update or Microsoft Update Catalog (KB article TBD—check Microsoft Security Response Center). 2. PRIORITIZE: Treat as high-priority patching given privilege escalation severity. 3. WORKAROUNDS (if patch delayed): (a) Restrict MSI installation privileges via Group Policy ('Disable Windows Installer' or 'Always install with elevated privileges' policies—though caveat: these may break legitimate installs); (b) Monitor %TEMP% and installation directories for suspicious symlink/junction creation (detection evasion technique); (c) Require administrative approval for all MSI installations (increases friction but reduces attack surface). 4. DETECTION: Implement file system monitoring for symlink/junction creation in installer working directories and temporary paths; correlate with MSI installation attempts. 5. REFERENCE: Consult Microsoft Security Update Guide and relevant KB articles for patch availability and version-specific guidance.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today