CVE-2025-48799

HIGH

Windows Update Service - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2025-48799. PoCs published by Wh04m1001, gmh5225, painoob.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2025-48799, an elevation of privilege vulnerability in the Windows Update service. The exploit leverages arbitrary folder deletion via symbolic link manipulation when Storage Sense is configured to use a secondary drive, leading to local privilege escalation.

Description

Improper link resolution before file access ('link following') in Windows Update Service allows an authorized attacker to elevate privileges locally.

Exploits (3)

nomisec WORKING POC 264 stars
by Wh04m1001 · poc
https://github.com/Wh04m1001/CVE-2025-48799

This repository contains a functional exploit for CVE-2025-48799, an elevation of privilege vulnerability in the Windows Update service. The exploit leverages arbitrary folder deletion via symbolic link manipulation when Storage Sense is configured to use a secondary drive, leading to local privilege escalation.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Windows Update service (wuauserv) on Windows 10/11
Auth required
Prerequisites: System with at least two hard drives · Storage Sense configured to save new applications to a secondary drive
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by gmh5225 · poc
https://github.com/gmh5225/CVE-2025-48799-

This repository contains a functional proof-of-concept exploit for CVE-2025-48799, targeting an integer overflow vulnerability in Apache Tomcat 9.0.48's HTTP header parser. The exploit crafts a malformed 'X-Forwarded' header to trigger memory corruption and execute shellcode.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Tomcat 9.0.48
No auth needed
Prerequisites: Vulnerable Apache Tomcat 9.0.48 instance · Network access to the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by painoob · poc
https://github.com/painoob/CVE-2025-48799

This repository contains a functional proof-of-concept exploit for CVE-2025-48799, an elevation of privilege vulnerability in the Windows Update service. The exploit leverages arbitrary folder deletion via symbolic link manipulation when Storage Sense is configured to use a secondary drive.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Windows Update service (wuauserv) on Windows 10/11
No auth needed
Prerequisites: System with at least two hard drives · Storage Sense configured to save new applications to a secondary drive
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 7.8
EPSS 0.0103
EPSS Percentile 59.1%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-59
Status published
Products (8)
microsoft/windows_10_1607 < 10.0.14393.8246 (2 CPE variants)
microsoft/windows_10_1809 < 10.0.17763.7558 (2 CPE variants)
microsoft/windows_10_21h2 < 10.0.19044.6093
microsoft/windows_10_22h2 < 10.0.19045.6093
microsoft/windows_11_22h2 < 10.0.22621.5624
microsoft/windows_11_23h2 < 10.0.22631.5624
microsoft/windows_11_24h2 < 10.0.26100.4652
microsoft/windows_server_2025 < 10.0.26100.4652
Published Jul 08, 2025
Tracked Since Feb 18, 2026