FKIE_CVE-2025-68623

Vulnerability from fkie_nvd - Published: 2026-03-11 17:16 - Updated: 2026-03-12 21:08
Severity
8.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Summary
In Microsoft DirectX End-User Runtime Web Installer 9.29.1974.0, a low-privilege user can replace an executable file during the installation process, which may result in unintended elevation of privileges. During installation, the installer runs with HIGH integrity and downloads executables and DLLs to the %TEMP% folder - writable by standard users. Subsequently, the installer executes the downloaded executable with HIGH integrity to complete the application installation. However, an attacker can replace the downloaded executable with a malicious, user-controlled executable. When the installer executes this replaced file, it runs the attacker's code with HIGH integrity. Since code running at HIGH integrity can escalate to SYSTEM level by registering and executing a service, this creates a complete privilege escalation chain from standard user to SYSTEM. NOTE: The Supplier disputes this record stating that they have determined this to be the behavior as designed.
References
cve@mitre.orghttps://talosintelligence.com/vulnerability_reports/TALOS-2025-2293
cve@mitre.orghttps://www.microsoft.com/en-us/download/details.aspx?id=35
af854a3a-2127-422b-91ae-364da2661108https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2293
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [
    {
      "sourceIdentifier": "cve@mitre.org",
      "tags": [
        "disputed"
      ]
    }
  ],
  "descriptions": [
    {
      "lang": "en",
      "value": "In Microsoft DirectX End-User Runtime Web Installer 9.29.1974.0, a low-privilege user can replace an executable file during the installation process, which may result in unintended elevation of privileges. During installation, the installer runs with HIGH integrity and downloads executables and DLLs to the %TEMP% folder - writable by standard users. Subsequently, the installer executes the downloaded executable with HIGH integrity to complete the application installation. However, an attacker can replace the downloaded executable with a malicious, user-controlled executable. When the installer executes this replaced file, it runs the attacker\u0027s code with HIGH integrity. Since code running at HIGH integrity can escalate to SYSTEM level by registering and executing a service, this creates a complete privilege escalation chain from standard user to SYSTEM. NOTE: The Supplier disputes this record stating that they have determined this to be the behavior as designed."
    },
    {
      "lang": "es",
      "value": "En Microsoft DirectX End-User Runtime Web Installer 9.29.1974.0, un usuario con pocos privilegios puede reemplazar un archivo ejecutable durante el proceso de instalaci\u00f3n, lo que puede resultar en una elevaci\u00f3n de privilegios no intencionada. Durante la instalaci\u00f3n, el instalador se ejecuta con integridad ALTA y descarga ejecutables y DLL a la carpeta %TEMP% - escribible por usuarios est\u00e1ndar. Posteriormente, el instalador ejecuta el ejecutable descargado con integridad ALTA para completar la instalaci\u00f3n de la aplicaci\u00f3n. Sin embargo, un atacante puede reemplazar el ejecutable descargado con un ejecutable malicioso controlado por el usuario. Cuando el instalador ejecuta este archivo reemplazado, ejecuta el c\u00f3digo del atacante con integridad ALTA. Dado que el c\u00f3digo que se ejecuta con integridad ALTA puede escalar al nivel SYSTEM al registrar y ejecutar un servicio, esto crea una cadena completa de escalada de privilegios de usuario est\u00e1ndar a SYSTEM. NOTA: El proveedor disputa este registro afirmando que han determinado que este es el comportamiento dise\u00f1ado."
    }
  ],
  "id": "CVE-2025-68623",
  "lastModified": "2026-03-12T21:08:22.643",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.0,
        "impactScore": 6.0,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-11T17:16:52.750",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2025-2293"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://www.microsoft.com/en-us/download/details.aspx?id=35"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2293"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-284"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.