CVE-2025-68623
Privilege Escalation via Executable Replacement in Microsoft DirectX Installer
Publication date: 2026-03-11
Last updated on: 2026-03-11
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| microsoft | directx_end-user_runtime_web_installer | 9.29.1974.1 |
| microsoft | directx_end-user_runtime_web_installer | 9.29.1974.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-68623 is a local privilege escalation vulnerability in the Microsoft DirectX End-User Runtime Web Installer version 9.29.1974.0.
During installation, the installer creates a temporary folder in the %TEMP% directory and writes an executable file named dxwsetup.exe there. This folder is writable by standard (low-privilege) users, allowing an attacker to replace dxwsetup.exe with a malicious executable.
When the installer subsequently runs dxwsetup.exe with high integrity privileges to complete the installation, the attacker-controlled executable is executed with elevated privileges, resulting in privilege escalation.
This happens because the installer improperly controls access to the temporary installation folder, allowing a low-privilege user to substitute the executable that runs with high privileges.
How can this vulnerability impact me? :
This vulnerability allows a low-privilege user to execute arbitrary code with high integrity privileges during the installation process.
An attacker can replace the legitimate executable with a malicious one that runs with elevated privileges, potentially allowing them to perform high-privilege actions such as creating or modifying files in protected system locations.
This creates a complete privilege escalation chain from a standard user to SYSTEM level, which could lead to full system compromise.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring the installation process of the Microsoft DirectX End-User Runtime Web Installer (dxwebsetup.exe), specifically looking for the creation and execution of the temporary executable dxwsetup.exe in the %TEMP% folder.
Using tools like Process Monitor, you can track file creation and execution events in the %TEMP% directory to identify if dxwsetup.exe is being replaced or executed unexpectedly.
- Use Process Monitor (ProcMon) to filter for events involving dxwebsetup.exe and dxwsetup.exe in the %TEMP% folder.
- Run the following PowerShell command to check for suspicious executable files in the %TEMP% directory during or after installation: Get-ChildItem $env:TEMP -Filter dxwsetup.exe -Recurse | Select-Object FullName, LastWriteTime
- Check for unexpected file modifications or replacements in the %TEMP% folder by comparing file hashes before and after installation.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, restrict write permissions to the %TEMP% folder during the installation process to prevent low-privilege users from replacing the dxwsetup.exe executable.
Avoid running the DirectX End-User Runtime Web Installer with elevated privileges in environments where untrusted users have access.
Monitor and validate the integrity of executables in the %TEMP% directory before execution.
If possible, use updated or alternative installers that do not exhibit this behavior or apply vendor patches once available.