CVE-2025-68623
A local privilege escalation vulnerability exists during the installation of Microsoft DirectX End-User Runtime. A low-privilege user can replace an executable file during the installation process, which may result in unintended elevation of privileges.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Microsoft DirectX End-User Runtime Web Installer 9.29.1974.0
DirectX End-User Runtime Web Installer - https://www.microsoft.com/en-us/download/details.aspx?id=35
8.8 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE-284 - Improper Access Control
The DirectX End-User Runtime Web Installer installs additional legacy DirectX libraries but does not upgrade the core DirectX version supported by Windows.
The Microsoft DirectX End-User Runtime Web (dxwebsetup.exe) installer creates a temporary folder in %TEMP% during installation. It then creates the dxwsetup.exe executable in that folder. This behavior can be observed in the following Process Monitor logs:
11:10:31.6282244 AM dxwebsetup.exe 11440 CreateFile C:\Users\dev\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe NAME NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a High
11:10:31.6300581 AM dxwebsetup.exe 11440 CreateFile C:\Users\dev\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe SUCCESS Desired Access: Generic Write, Read Attributes, Disposition: OverwriteIf, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: None, AllocationSize: 0, OpenResult: Created High
Next, it runs the dxwsetup.exe executable with high integrity to complete the installation, as shown below:
11:10:32.2195484 AM dxwebsetup.exe 11440 Process Create C:\Users\dev\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe SUCCESS PID: 9852, Command line: C:\Users\dev\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe High
[...]
11:10:32.2195659 AM dxwsetup.exe 9852 Process Start SUCCESS Parent PID: 11440, Command line: C:\Users\dev\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe, Current directory: C:\Users\dev\AppData\Local\Temp\IXP000.TMP\, Environment:
[...]
The vulnerability exists because the installer’s temporary folder is writable by standard users. An attacker with user privileges can exploit this by replacing dxwsetup.exe with a malicious executable. When dxwebsetup.exe runs dxwsetup.exe, it will execute the attacker-controlled file with high integrity privileges.
The Process Monitor log below shows the creation of C:\pwned.txt when the attacker-controlled dxwsetup.exe is loaded. Note that only a high-privilege user can create a file in the root directory.
11:31:15.5356631 AM dxwsetup.exe 11212 CreateFile C:\pwned.txt SUCCESS Desired Access: Generic Write, Read Attributes, Disposition: OverwriteIf, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Write, AllocationSize: 0, OpenResult: Created High
11:31:15.5378461 AM dxwsetup.exe 11212 WriteFile C:\pwned.txt SUCCESS Offset: 0, Length: 36, Priority: Normal High
11:31:15.5384271 AM dxwsetup.exe 11212 CloseFile C:\pwned.txt SUCCESS High
Note that some applications use the Microsoft DirectX End-User Runtime Web installer to install DirectX components. Such applications may also be affected by this issue.
2025-10-30 - Vendor Disclosure
2025-11-17 - Vendor rejects the issue as being “by design”
2025-12-09 - Submitted dispute to Mitre
2026-01-14 - Vendor finally rejects vulnerability
2026-01-23 - Email from Mitre to vendor, request for information
2026-02-16 - Mitre sends follow-up email to vendor
2026-02-17 - Vendor indicates reason for rejection based on misunderstanding the vulnerability for months, requests additional information
2026-02-17 - Additional information provided to vendor
2026-02-20 - Vendor requests more time to reassess the issue
2026-03-03 - Mitre asks for reply from vendor; No reply
2026-03-09 - Mitre assigns CVE
2026-03-11 - Public Release
Discovered by KPC of Cisco Talos.