Description
In Microsoft DirectX End-User Runtime Web Installer 9.29.1974.0, a low-privilege user can replace an executable file during the installation process, which may result in unintended elevation of privileges. During installation, the installer runs with HIGH integrity and downloads executables and DLLs to the %TEMP% folder - writable by standard users. Subsequently, the installer executes the downloaded executable with HIGH integrity to complete the application installation. However, an attacker can replace the downloaded executable with a malicious, user-controlled executable. When the installer executes this replaced file, it runs the attacker's code with HIGH integrity. Since code running at HIGH integrity can escalate to SYSTEM level by registering and executing a service, this creates a complete privilege escalation chain from standard user to SYSTEM. NOTE: The Supplier disputes this record stating that they have determined this to be the behavior as designed.
Published: 2026-03-11
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

The flaw exists in Microsoft DirectX End-User Runtime Web Installer 9.29.1974.0, where a low‑privilege user can replace a downloaded executable during installation. The installer runs with HIGH integrity, downloading files to the %TEMP% folder that is writable by standard users; the installer then executes the downloaded file with HIGH integrity. If the file is replaced with a malicious binary, the attacker’s code runs at HIGH integrity and can register a service to elevate to SYSTEM, creating a full privilege escalation chain. This vulnerability is a style of permission inversion (CWE‑284).

Affected Systems

Windows systems that use the DirectX End‑User Runtime Web Installer version 9.29.1974.0 and allow standard users to initiate the installation are affected. No other releases are confirmed to be impacted.

Risk and Exploitability

The CVSS score (8.8) denotes high severity. The low EPSS (<1%) and absence from the KEV catalog suggest the exploit may not be actively used yet. The attack vector is local; an attacker only needs to run the installer with standard user permissions and replace the executable during the download phase. Because the attacker can easily alter the file prior to its execution, exploit complexity is low, giving a high likelihood of successful use if the scenario is present.

Generated by OpenCVE AI on March 17, 2026 at 15:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Microsoft update available at https://www.microsoft.com/en-us/download/details.aspx?id=35
  • Restrict write permissions to the %TEMP% folder for standard users so that the installer cannot replace its own executable
  • Ensure the installer is run only by trusted, elevated accounts

Generated by OpenCVE AI on March 17, 2026 at 15:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
Title Privilege Escalation via Executable Replacement in DirectX End‑User Runtime Web Installer

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft
Microsoft directx End-user Runtime Web Installer
Vendors & Products Microsoft
Microsoft directx End-user Runtime Web Installer

Wed, 11 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
References

Wed, 11 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
Description In Microsoft DirectX End-User Runtime Web Installer 9.29.1974.0, a low-privilege user can replace an executable file during the installation process, which may result in unintended elevation of privileges. During installation, the installer runs with HIGH integrity and downloads executables and DLLs to the %TEMP% folder - writable by standard users. Subsequently, the installer executes the downloaded executable with HIGH integrity to complete the application installation. However, an attacker can replace the downloaded executable with a malicious, user-controlled executable. When the installer executes this replaced file, it runs the attacker's code with HIGH integrity. Since code running at HIGH integrity can escalate to SYSTEM level by registering and executing a service, this creates a complete privilege escalation chain from standard user to SYSTEM. NOTE: The Supplier disputes this record stating that they have determined this to be the behavior as designed.
References

Subscriptions

Microsoft Directx End-user Runtime Web Installer
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-11T18:26:58.163Z

Reserved: 2025-12-19T00:00:00.000Z

Link: CVE-2025-68623

cve-icon Vulnrichment

Updated: 2026-03-11T16:20:19.379Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-11T17:16:52.750

Modified: 2026-03-12T21:08:22.643

Link: CVE-2025-68623

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:33:46Z

Weaknesses