CVE-2025-68623
Received Received - Intake
Privilege Escalation via Executable Replacement in Microsoft DirectX Installer

Publication date: 2026-03-11

Last updated on: 2026-03-11

Assigner: MITRE

Description
In Microsoft DirectX End-User Runtime Web Installer 9.29.1974.0, a low-privilege user can replace an executable file during the installation process, which may result in unintended elevation of privileges. During installation, the installer runs with HIGH integrity and downloads executables and DLLs to the %TEMP% folder - writable by standard users. Subsequently, the installer executes the downloaded executable with HIGH integrity to complete the application installation. However, an attacker can replace the downloaded executable with a malicious, user-controlled executable. When the installer executes this replaced file, it runs the attacker's code with HIGH integrity. Since code running at HIGH integrity can escalate to SYSTEM level by registering and executing a service, this creates a complete privilege escalation chain from standard user to SYSTEM. NOTE: The Supplier disputes this record stating that they have determined this to be the behavior as designed.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-03-11
Generated
2026-06-16
AI Q&A
2026-03-11
EPSS Evaluated
2026-06-15
NVD
CVE-2025-68623
EUVD
EUVD-2025-208593
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
microsoft directx_end-user_runtime_web_installer 9.29.1974.1
microsoft directx_end-user_runtime_web_installer 9.29.1974.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-68623 is a local privilege escalation vulnerability in the Microsoft DirectX End-User Runtime Web Installer version 9.29.1974.0.

During installation, the installer creates a temporary folder in the %TEMP% directory and writes an executable file named dxwsetup.exe there. This folder is writable by standard (low-privilege) users, allowing an attacker to replace dxwsetup.exe with a malicious executable.

When the installer subsequently runs dxwsetup.exe with high integrity privileges to complete the installation, the attacker-controlled executable is executed with elevated privileges, resulting in privilege escalation.

This happens because the installer improperly controls access to the temporary installation folder, allowing a low-privilege user to substitute the executable that runs with high privileges.

Impact Analysis

This vulnerability allows a low-privilege user to execute arbitrary code with high integrity privileges during the installation process.

An attacker can replace the legitimate executable with a malicious one that runs with elevated privileges, potentially allowing them to perform high-privilege actions such as creating or modifying files in protected system locations.

This creates a complete privilege escalation chain from a standard user to SYSTEM level, which could lead to full system compromise.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by monitoring the installation process of the Microsoft DirectX End-User Runtime Web Installer (dxwebsetup.exe), specifically looking for the creation and execution of the temporary executable dxwsetup.exe in the %TEMP% folder.

Using tools like Process Monitor, you can track file creation and execution events in the %TEMP% directory to identify if dxwsetup.exe is being replaced or executed unexpectedly.

  • Use Process Monitor (ProcMon) to filter for events involving dxwebsetup.exe and dxwsetup.exe in the %TEMP% folder.
  • Run the following PowerShell command to check for suspicious executable files in the %TEMP% directory during or after installation: Get-ChildItem $env:TEMP -Filter dxwsetup.exe -Recurse | Select-Object FullName, LastWriteTime
  • Check for unexpected file modifications or replacements in the %TEMP% folder by comparing file hashes before and after installation.
Mitigation Strategies

To mitigate this vulnerability, restrict write permissions to the %TEMP% folder during the installation process to prevent low-privilege users from replacing the dxwsetup.exe executable.

Avoid running the DirectX End-User Runtime Web Installer with elevated privileges in environments where untrusted users have access.

Monitor and validate the integrity of executables in the %TEMP% directory before execution.

If possible, use updated or alternative installers that do not exhibit this behavior or apply vendor patches once available.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68623. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart