CVE-2025-61973
A local privilege escalation vulnerability exists during the installation of Epic Games Store via the Microsoft Store. A low-privilege user can replace a DLL file during the installation process, which may result in unintended elevation of privileges.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Epic Games Store 14.6.2.0
DXSETUP.exe version 4.9.0.0904
Epic Games Store - https://store.epicgames.com/en-US/download
8.8 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE-284 - Improper Access Control
The Epic Games Store is a digital distribution platform for PC and macOS developed and operated by Epic Games. It enables users to purchase, download, and manage their game collections in one place.
Epic Games Store is vulnerable to a privilege escalation issue when installed via the Microsoft Store application. When a user attempts to install Epic Games Store, the following events occur in the background:
WindowsPackageManagerServer.exe downloads and executes an MSI file .
12:19:01.0748837 PM WindowsPackageManagerServer.exe 8196 SetRenameInformationFile C:\Users\dev\AppData\Local\Temp\WinGet\XP99VR1BPSBQJ2.1.3.23.0\aa81f2cc1813c01bc43ecc82380e0ddbc5f6d39e8bf6e3680e92354393930643 SUCCESS ReplaceIfExists: True, FileName: C:\Users\dev\AppData\Local\Temp\WinGet\XP99VR1BPSBQJ2.1.3.23.0\d36fcc10-a805-47ce-924f-9be09c8ea60f_aa81f2cc1813c01bc43ecc82380e0ddbc5f6d39e8bf6e3680e92354393930643.msi Medium
During installation, msiexec.exe extracts DXSETUP.exe from the MSI file and executes it with SYSTEM privileges.
12:23:53.2485007 PM msiexec.exe 1216 CreateFile C:\Program Files (x86)\Epic Games\DirectXRedist\DXSETUP.exe SUCCESS Desired Access: Generic Write, Read Attributes, Disposition: OverwriteIf, Options: Synchronous IO Non-Alert, Non-Directory File, Open No Recall, Attributes: n/a, ShareMode: None, AllocationSize: 0, OpenResult: Created System
[...]
12:24:44.3589058 PM msiexec.exe 1216 Process Create C:\Program Files (x86)\Epic Games\DirectXRedist\DXSETUP.exe SUCCESS PID: 5676, Command line: "C:\Program Files (x86)\Epic Games\DirectXRedist\DXSETUP.exe" /silent System
12:24:44.3589346 PM DXSETUP.exe 5676 Process Start SUCCESS Parent PID: 1216, Command line: "C:\Program Files (x86)\Epic Games\DirectXRedist\DXSETUP.exe" /silent, Current directory: C:\Windows\system32\, Environment:
[...]
DXSETUP.exe creates a tmp folder in the %TEMP% directory. It writes dxupdate.dll to this folder and later loads it.
12:24:45.6560257 PM DXSETUP.exe 5676 CreateFile C:\Users\dev\AppData\Local\Temp\DX33A.tmp SUCCESS Desired Access: Generic Read, Disposition: Create, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: None, AllocationSize: 0, OpenResult: Created System
12:24:46.1930326 PM DXSETUP.exe 5676 CreateFile C:\Users\dev\AppData\Local\Temp\DX33A.tmp\dxupdate.dll SUCCESS Desired Access: Generic Read/Write, Disposition: OverwriteIf, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Write, AllocationSize: 0, OpenResult: Created System
12:24:46.1954409 PM DXSETUP.exe 5676 WriteFile C:\Users\dev\AppData\Local\Temp\DX33A.tmp\dxupdate.dll SUCCESS Offset: 0, Length: 32,768, Priority: Normal System
[...]
12:24:46.4868486 PM DXSETUP.exe 5676 CreateFileMapping C:\Users\dev\AppData\Local\Temp\DX33A.tmp\dxupdate.dll SUCCESS SyncType: SyncTypeOther System
12:24:46.4869138 PM DXSETUP.exe 5676 CreateFileMapping C:\Users\dev\AppData\Local\Temp\DX33A.tmp\dxupdate.dll FILE LOCKED WITH ONLY READERS SyncType: SyncTypeCreateSection, PageProtection: System
The vulnerability exists because the tmp folder is writable by standard users. An attacker with user privileges can exploit this by replacing dxupdate.dll with a malicious DLL. When DXSETUP.exe loads dxupdate.dll, it will execute the attacker-controlled file with SYSTEM privileges.
The Process Monitor log below shows the creation of C:\pwned.txt when the attacker-controlled dxupdate.dll is loaded. Note that only a high-privilege user can create a file in the root directory.
6:55:21.9254301 AM DXSETUP.exe 9472 CreateFileMapping C:\Users\dev\AppData\Local\Temp\DXFD87.tmp\dxupdate.dll SUCCESS SyncType: SyncTypeOther System
[...]
6:55:21.9272989 AM DXSETUP.exe 9472 CreateFile C:\pwned.txt SUCCESS Desired Access: Generic Write, Read Attributes, Disposition: OverwriteIf, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Write, AllocationSize: 0, OpenResult: Created System
6:55:21.9277057 AM DXSETUP.exe 9472 WriteFile C:\pwned.txt SUCCESS Offset: 0, Length: 36, Priority: Normal System
By exploiting this vulnerability, a user can gain SYSTEM privileges.
2025-10-14 - Initial Vendor Contact
2025-10-14 - Vendor Disclosure
2025-11-06 - Vendor Patch Release
2026-01-15 - Public Release
Discovered by KPC of Cisco Talos.