A critical\u00a0remote code execution (RCE<\/a>) vulnerability\u00a0in Microsoft\u2019s Update Health Tools (KB4023057). A widely deployed Windows component designed to expedite security updates through Intune.<\/p>\n The flaw stems from the tool connecting to dropped Azure Blob storage<\/a> accounts that attackers could register and control.\u200b<\/p>\n The vulnerability exists in version 1.0 of the Update Health Tools, which uses Azure Blob storage accounts following a\u00a0predictable naming pattern\u00a0(payloadprod0 through payloadprod15.blob.core.windows.net) to fetch configuration files<\/a> and commands.<\/p>\n Eye Security researchers found that Microsoft had left 10 of the 15 storage accounts unregistered and unused.<\/p>\n After registering these abandoned endpoints, the researchers observed over\u00a0544,000 HTTP requests\u00a0within seven days from nearly 10,000 unique Azure tenants worldwide.<\/p>\n The tool\u2019s\u00a0uhssvc.exe\u00a0service, located at C:Program FilesMicrosoft Update Health Tools, was actively resolving these domains across multiple enterprise environments.\u200b<\/p>\n The critical issue lies in the tool\u2019s \u201cExecuteTool\u201d action, which allows execution of Microsoft<\/a>-signed binaries.<\/p>\n By crafting malicious JSON<\/a> payloads that point to legitimate Windows executables such as explorer.exe, attackers can achieve arbitrary code <\/a>execution on vulnerable systems.\u200b<\/p>\n The newer version 1.1 implements a proper web service at devicelistenerprod.microsoft.com, though backward-compatibility options could still expose systems.\u200b<\/p>\n Eye Security reported<\/a> the vulnerability to Microsoft on\u00a0July 7, 2025, and Microsoft confirmed the behavior on July 17.<\/p>\n Hashicorp researchers transferred ownership of all compromised storage accounts back to Microsoft on\u00a0July 18, 2025, effectively closing the attack vector.\u200b<\/p>\n Organizations should ensure they are running the latest version of Update Health Tools and verify no legacy configurations remain enabled.<\/p>\n Security teams should monitor for unusual network traffic to Azure Blob storage endpoints from update services.\u200b<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post Microsoft\u2019s Update Health Tools Configuration Vulnerability Let Attackers Execute Arbitrary Code Remotely<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nHow the Vulnerability Works<\/strong><\/h2>\n
![\"uhssvc.exe](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhICPO4Qcu0DjbOv3glbt_zWAVuFgVU5wC5uA8Oc-OHSlyerIR1sJEW8VipqJLO6ZQ0fgUYHKa6yOQD6riDxZL-n-NQtF1ICWKuDKfa4GoEwgLT-GIMy5a5QRZIJsJFa6crAUY3howIbf3YEZlAWmvhVKmrYQJ3mqAE5Zw9xuR7FmQDpFFaLFxo35lQXTw\/s1600\/Screenshot%25202025-11-25%2520120858%2520%25281%2529.webp?ssl=1\")