CVE-2025-68623 in DirectX End-User Runtime Web Installer
Summary
by MITRE • 03/11/2026
In Microsoft DirectX End-User Runtime Web Installer 9.29.1974.0, a low-privilege user can replace an executable file during the installation process, which may result in unintended elevation of privileges. During installation, the installer runs with HIGH integrity and downloads executables and DLLs to the %TEMP% folder - writable by standard users. Subsequently, the installer executes the downloaded executable with HIGH integrity to complete the application installation. However, an attacker can replace the downloaded executable with a malicious, user-controlled executable. When the installer executes this replaced file, it runs the attacker's code with HIGH integrity. Since code running at HIGH integrity can escalate to SYSTEM level by registering and executing a service, this creates a complete privilege escalation chain from standard user to SYSTEM. NOTE: The Supplier disputes this record stating that they have determined this to be the behavior as designed.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/14/2026
This vulnerability exists within Microsoft DirectX End-User Runtime Web Installer version 9.29.1974.0 where a privilege escalation flaw allows low-privilege users to execute arbitrary code with elevated privileges. The core issue stems from improper handling of temporary files during the installation process, creating a race condition scenario that can be exploited by attackers. The installer operates with HIGH integrity level during execution, which is necessary for system-level operations, but it downloads and executes files from the %TEMP% directory that is accessible to standard users. This design creates a fundamental security gap where user-controlled files can be substituted for legitimate installation components.
The technical flaw manifests as a classic race condition vulnerability where the installer creates temporary files in a location writable by any user, then executes these files with elevated privileges. This behavior aligns with CWE-345 Insufficient Verification of Data Authenticity, where the system fails to properly verify the integrity of downloaded components before execution. The installer's design pattern of downloading executables to %TEMP% and then executing them with HIGH integrity creates an attack surface that directly violates the principle of least privilege. The vulnerability specifically targets the Windows installer architecture where temporary files are not properly secured against modification by unprivileged users.
The operational impact of this vulnerability is severe as it provides a complete path from standard user to SYSTEM level access. When an attacker replaces the legitimate executable with a malicious one in the %TEMP% directory, the installer executes this replacement file with HIGH integrity privileges. This elevated execution context allows the malicious code to perform operations typically restricted to system-level processes, including service registration and execution. The attack chain leverages the Windows service control manager to escalate privileges further to SYSTEM level, making this a particularly dangerous vulnerability for exploitation in enterprise environments. This vulnerability directly maps to ATT&CK technique T1068 Privilege Escalation through the use of installer components to execute malicious code with elevated privileges.
The security implications extend beyond simple privilege escalation as this vulnerability can be exploited in various attack scenarios including targeted attacks against specific systems or broader exploitation campaigns. The fact that the installer runs with HIGH integrity and the %TEMP% directory is accessible to standard users creates an inherent design flaw that can be systematically exploited. Mitigation strategies should focus on restricting write access to the %TEMP% directory for standard users, implementing proper file integrity verification, and ensuring that installation components are not replaceable during execution. Organizations should also consider disabling the affected installer or implementing additional security controls around temporary file handling. The vendor's claim that this behavior is "as designed" represents a significant security concern as legitimate security practices require that installation processes protect against such manipulation scenarios.