CVE-2025-68623
A local privilege escalation vulnerability exists during the installation of Microsoft DirectX End-User Runtime. A low-privilege user can replace an executable file during the installation process, which may result in unintended elevation of privileges.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Microsoft DirectX End-User Runtime Web Installer 9.29.1974.0
DirectX End-User Runtime Web Installer – https://www.microsoft.com/en-us/download/details.aspx?id=35
8.8 – CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE-284 – Improper Access Control
The DirectX End-User Runtime Web Installer installs additional legacy DirectX libraries but does not upgrade the core DirectX version supported by Windows.
The Microsoft DirectX End-User Runtime Web ( `dxwebsetup.exe`) installer creates a temporary folder in `%TEMP%` during installation. It then creates the `dxwsetup.exe` executable in that folder. This behavior can be observed in the following `Process Monitor` logs:
“`
11:10:31.6282244 AM dxwebsetup.exe 11440 CreateFile C:UsersdevAppDataLocalTempIXP000.TMPdxwsetup.exe NAME NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a High 11:10:31.6300581 AM dxwebsetup.exe 11440 CreateFile C:UsersdevAppDataLocalTempIXP000.TMPdxwsetup.exe SUCCESS Desired Access: Generic Write, Read Attributes, Disposition: OverwriteIf, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: None, AllocationSize: 0, OpenResult: Created High
“`
Next, it runs the `dxwsetup.exe` executable with high integrity to complete the installation, as shown below:
“`
11:10:32.2195484 AM dxwebsetup.exe 11440 Process Create C:UsersdevAppDataLocalTempIXP000.TMPdxwsetup.exe SUCCESS PID: 9852, Command line: C:UsersdevAppDataLocalTempIXP000.TMPdxwsetup.exe High […] 11:10:32.2195659 AM dxwsetup.exe 9852 Process Start SUCCESS Parent PID: 11440, Command line: C:UsersdevAppDataLocalTempIXP000.TMPdxwsetup.exe, Current directory: C:UsersdevAppDataLocalTempIXP000.TMP, Environment: […]
“`
The vulnerability exists because the installer’s temporary folder is writable by standard users. An attacker with user privileges can exploit this by replacing `dxwsetup.exe` with a malicious executable. When `dxwebsetup.exe` runs `dxwsetup.exe`, it will execute the attacker-controlled file with high integrity privileges.
The `Process Monitor` log below shows the creation of `C:pwned.txt` when the attacker-controlled `dxwsetup.exe` is loaded. Note that only a high-privilege user can create a file in the root directory.
“`
11:31:15.5356631 AM dxwsetup.exe 11212 CreateFile C:pwned.txt SUCCESS Desired Access: Generic Write, Read Attributes, Disposition: OverwriteIf, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Write, AllocationSize: 0, OpenResult: Created High 11:31:15.5378461 AM dxwsetup.exe 11212 WriteFile C:pwned.txt SUCCESS Offset: 0, Length: 36, Priority: Normal High 11:31:15.5384271 AM dxwsetup.exe 11212 CloseFile C:pwned.txt SUCCESS High
“`
Note that some applications use the Microsoft DirectX End-User Runtime Web installer to install DirectX components. Such applications may also be affected by this issue.
2025-10-30 – Vendor Disclosure
2025-11-17 – Vendor rejects the issue as being “by design”
2025-12-09 – Submitted dispute to Mitre
2026-01-14 – Vendor finally rejects vulnerability
2026-01-23 – Email from Mitre to vendor, request for information
2026-02-16 – Mitre sends follow-up email to vendor
2026-02-17 – Vendor indicates reason for rejection based on misunderstanding the vulnerability for months, requests additional information
2026-02-17 – Additional information provided to vendor
2026-02-20 – Vendor requests more time to reassess the issue
2026-03-03 – Mitre asks for reply from vendor; No reply
2026-03-09 – Mitre assigns CVE
2026-03-11 – Public Release
Discovered by KPC of Cisco Talos.