CVE-2025-61973
BaseFortify
Publication date: 2026-01-15
Last updated on: 2026-01-15
Assigner: Talos
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| epic_games | epic_games_store | 14.6.2.0 |
| unknown_vendor | dxsetup | 4.9.0.0904 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-61973 is a local privilege escalation vulnerability occurring during the installation of the Epic Games Store via the Microsoft Store. During installation, a process called DXSETUP.exe runs with SYSTEM privileges and creates a temporary folder in the user's %TEMP% directory where it writes a DLL file named dxupdate.dll. Because this temporary folder is writable by low-privilege users, an attacker can replace the legitimate dxupdate.dll with a malicious DLL. When DXSETUP.exe loads this malicious DLL, it executes code with SYSTEM-level privileges, allowing the attacker to escalate their privileges on the system. [1]
How can this vulnerability impact me? :
This vulnerability can allow a low-privilege user to gain SYSTEM-level privileges on the affected machine. This means an attacker could execute arbitrary code with the highest system privileges, potentially leading to full system compromise, unauthorized access to sensitive data, installation of persistent malware, or disruption of system operations. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring the creation and modification of the dxupdate.dll file in the temporary folder created by DXSETUP.exe under the user's %TEMP% directory during the Epic Games Store installation. Using tools like Process Monitor to log file system activity can help identify if dxupdate.dll is replaced or modified by a low-privilege user. Additionally, checking for unexpected files created with SYSTEM privileges, such as C:\pwned.txt as demonstrated in the exploit, can indicate exploitation. Specific commands are not provided, but monitoring file writes and permissions in the %TEMP% directory during installation is recommended. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the patch released on 2025-11-06 by the vendor to fix the vulnerability. Until patched, restrict low-privilege users from having write access to the temporary folder created by DXSETUP.exe during installation, or avoid installing the Epic Games Store version 14.6.2.0 or DXSETUP.exe version 4.9.0.0904. Monitoring installation processes and ensuring that only trusted users can perform installations can also reduce risk. [1]