The vulnerability CVE-2025-68623 affects the Microsoft DirectX End-User Runtime Web Installer version 9.29.1974.0. During installation, the installer runs with HIGH integrity privileges and downloads executable files and DLLs into the %TEMP% directory, which is writable by standard users. Because the installer does not verify or protect these downloaded files, a low-privilege user can replace the legitimate executable with a malicious one before execution. When the installer subsequently runs the replaced executable with HIGH integrity, the attacker’s code executes with elevated privileges. This allows the attacker to escalate privileges from a standard user to SYSTEM by, for example, registering and executing a service. The vulnerability is classified under CWE-284 (Improper Access Control). Despite the supplier disputing this as a vulnerability, the behavior effectively enables privilege escalation. The CVSS v3.1 score is 8.8 (High), with attack vector local, low attack complexity, low privileges required, no user interaction, and scope changed. No patches or mitigations have been officially released, and no known exploits have been observed in the wild as of the publication date. The issue arises from insecure handling of temporary files during installation, a common vector for privilege escalation attacks.

This vulnerability allows an attacker with standard user access to escalate privileges to SYSTEM level, which is the highest level of privilege on a Windows system. This can lead to full system compromise, including the ability to install persistent malware, access or modify sensitive data, disable security controls, and move laterally within a network. The impact affects confidentiality, integrity, and availability of affected systems. Since the installer runs with high privileges and executes attacker-controlled code, the attacker gains complete control over the system. This is particularly dangerous in enterprise environments where users may have limited privileges but can run installers. The lack of patches and the installer’s widespread use in Windows environments increase the risk. Although no exploits are currently known in the wild, the vulnerability’s characteristics make it a prime target for attackers seeking privilege escalation on Windows endpoints.

Organizations should restrict access to the %TEMP% directory to prevent unauthorized modification of files during installation. Running the installer in a controlled environment or with restricted permissions can reduce risk. Use application whitelisting and endpoint protection solutions to detect and block unauthorized executable modifications. Monitor installation processes for unexpected file changes in temporary directories. Until an official patch is released, consider deploying the installer only on trusted machines or under administrative supervision. Employ least privilege principles to limit user ability to run installers or modify temporary files. Additionally, consider using Windows Defender Application Control or similar technologies to enforce code integrity policies. Regularly audit systems for signs of privilege escalation attempts and educate users about the risks of running untrusted installers. Finally, maintain up-to-date backups to recover from potential compromises.