Microsoft DirectX Installer Allows Malicious Code Execution with Elevated Privileges

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

8.8

Microsoft DirectX Installer Allows Malicious Code Execution with Elevated Privileges

CVE-2025-68623

Summary

A user with limited access can replace a file during installation, allowing a malicious script to run with high-level access. This could lead to unauthorized access to the system. Update to the latest version to prevent this from happening.

Original title

Original description

In Microsoft DirectX End-User Runtime Web Installer 9.29.1974.0, a low-privilege user can replace an executable file during the installation process, which may result in unintended elevation of privileges. During installation, the installer runs with HIGH integrity and downloads executables and DLLs to the %TEMP% folder - writable by standard users. Subsequently, the installer executes the downloaded executable with HIGH integrity to complete the application installation. However, an attacker can replace the downloaded executable with a malicious, user-controlled executable. When the installer executes this replaced file, it runs the attacker's code with HIGH integrity. Since code running at HIGH integrity can escalate to SYSTEM level by registering and executing a service, this creates a complete privilege escalation chain from standard user to SYSTEM. NOTE: The Supplier disputes this record stating that they have determined this to be the behavior as designed.

Vulnerability type

CWE-284 Improper Access Control

Published: 11 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026