CVE-2025-48799 PoC — Microsoft Windows Update 后置链接漏洞

Source

Associated Vulnerability

Readme

# Description
This is PoC for CVE-2025-48799, an elevation of privilege vulnerability in Windows Update service.

This vulnability affects windows clients (win11/win10) with at least 2 hard drives. When machine have multiple hard drives it is possible to change location where new content is saved using the Storage Sense. If location for new applications is changed to secondary drive, during the installation of new application the wuauserv service will perform arbitrary folder deletion without checking for symbolic links (if file is encountered the service will check final path using GetFinalPathByHandle) which leads to LPE.

This PoC utilise method (and some code) descibed in ZDI blog post: https://www.zerodayinitiative.com/blog/2022/3/16/abusing-arbitrary-file-deletes-to-escalate-privilege-and-other-great-tricks

## PoC


https://github.com/user-attachments/assets/5e8b2a59-b787-4ba7-a6dc-1c71a9b3ba12

File Snapshot

 [4.0K]  /data/pocs/4e0d47ece33258cc51528a7848b6199d8323bede
├── [ 916]  README.md
└── [4.0K]  WinUpdateEoP
    ├── [558K]  5eeabb3.rbs
    ├── [4.2K]  def.h
    ├── [4.4K]  FileOplock.cpp
    ├── [1.0K]  FileOplock.h
    ├── [ 16K]  FileOrFolderDelete.cpp
    ├── [ 10K]  main.cpp
    ├── [184K]  Msi_EoP.msi
    ├── [ 440]  resource.aps
    ├── [ 300]  resource.h
    ├── [2.1K]  resource.rc
    ├── [1.4K]  WinUpdateEoP.sln
    ├── [6.8K]  WinUpdateEoP.vcxproj
    ├── [1.6K]  WinUpdateEoP.vcxproj.filters
    └── [ 168]  WinUpdateEoP.vcxproj.user

1 directory, 15 files

Remarks