Windows Update Stack Privilege Escalation Vulnerability (CVE-2025-21204) – PoC Released
The flaw, disclosed by researchers at Cyberdom Blog, poses a significant risk to millions of Windows users and organizations relying on windows.
| OEM | Windows |
| Severity | HIGH |
| CVSS Score | 7.8 |
| CVEs | CVE-2025-21204 |
| POC Available | Yes |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
A high-severity vulnerability in the Windows Update Stack, CVE-2025-21204, enables local attackers to escalate privileges to SYSTEM level by exploiting trusted path abuse through symbolic links. The flaw affects various versions of Windows 10, Windows 11, and Windows Server.
A working proof-of-concept (PoC) exploit has been publicly released by security researcher Elli Shlomo, increasing the urgency to patch. The issue is addressed in the April 2025 cumulative update KB5055523.
| Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
| Windows Update Stack Privilege Escalation | CVE-2025-21204 | Windows | HIGH | 7.8 |
Technical Summary
The vulnerability lies in how Windows Update processes such as MoUsoCoreWorker.exe and UsoClient.exe, which run with SYSTEM privileges, handle directory junctions. Attackers can delete the legitimate Tasks directory under C:\ProgramData\Microsoft\UpdateStack and replace it with a symbolic link pointing to an attacker-controlled path. This allows the execution of arbitrary code as SYSTEM without triggering traditional security mechanisms.
A public PoC developed by Elli Shlomo demonstrates this exploit using only native Windows features—no external binaries or code injection required.
This opens the door for a range of attacks, including installing persistent malware, disabling security tools, or accessing sensitive data.
| CVE ID | System Affected | Vulnerability Details | Exploit Prerequisites | Impact |
| CVE-2025-21204 | Windows 10 (10.0.10240.0 < 10.0.10240.20978, etc.), Windows 11, Server | Misuse of NTFS junctions allows local attackers to redirect C:\ProgramData\Microsoft\UpdateStack\Tasks to attacker-controlled locations. SYSTEM-level update processes follow these junctions and execute unauthorized code. | Attackers must have local access and limited user privileges; no user interaction required | Local privilege escalation, Code execution |
Source: Cyberdom
Recommendations:
- Apply the April 2025 cumulative update (KB5055523) immediately.
- Restrict ACLs on C:\ProgramData\Microsoft\UpdateStack.
- Use AppLocker or WDAC to block symbolic link creation in sensitive directories.
- Monitor file operations involving UpdateStack and inetpub, regardless of IIS presence.
- Detect attempts to create NTFS junctions targeting update directories.
Conclusion:
CVE-2025-21204 is an example of a rather low-level and impactful threat doing trusted path abuse rather than complex memory corruption. This vulnerability demonstrates how attackers will exploit trust assumptions built into the operating system via native components.
The only defenses available are to immediately patch and harden directory access controls to stop this low-level and minimally visible localized privilege escalation.
References:
