Critical Vulnerability in Microsoft’s Update Health Tools Exposes Systems to Remote Code Execution
A significant security flaw has been identified in Microsoft’s Update Health Tools (KB4023057), a component widely utilized to facilitate Windows security updates via Intune. This vulnerability enables remote code execution (RCE), potentially allowing attackers to execute arbitrary code on affected systems.
Understanding the Vulnerability
The root of this issue lies in version 1.0 of the Update Health Tools, which relies on Azure Blob storage accounts named in a predictable sequence (payloadprod0 through payloadprod15.blob.core.windows.net) to retrieve configuration files and commands. Researchers at Eye Security discovered that Microsoft had left 10 out of these 15 storage accounts unregistered and inactive.
By registering these dormant endpoints, the researchers observed over 544,000 HTTP requests within a week from nearly 10,000 unique Azure tenants globally. The tool’s service, uhssvc.exe, located at C:\Program Files\Microsoft Update Health Tools, was actively resolving these domains across various enterprise environments.
Mechanism of Exploitation
The critical flaw resides in the tool’s ExecuteTool action, which permits the execution of Microsoft-signed binaries. Attackers can craft malicious JSON payloads that reference legitimate Windows executables, such as explorer.exe, to achieve arbitrary code execution on vulnerable systems.
Although version 1.1 of the Update Health Tools introduces a proper web service at devicelistenerprod.microsoft.com, backward compatibility features may still leave systems exposed.
Timeline of Discovery and Response
– July 7, 2025: Eye Security reported the vulnerability to Microsoft.
– July 17, 2025: Microsoft confirmed the behavior.
– July 18, 2025: Hashicorp researchers transferred ownership of all compromised storage accounts back to Microsoft, effectively closing the attack vector.
Recommendations for Organizations
To mitigate the risk associated with this vulnerability, organizations should:
1. Update to the Latest Version: Ensure that the latest version of Update Health Tools is installed to benefit from security enhancements.
2. Verify Configurations: Check for and disable any legacy configurations that may still be active.
3. Monitor Network Traffic: Keep an eye on unusual network activity directed towards Azure Blob storage endpoints from update services.
By taking these steps, organizations can safeguard their systems against potential exploitation stemming from this vulnerability.
