CVE-2025-21275: Critical Elevation of Privilege Vulnerability in Windows App Package Installer

Microsoft has disclosed a severe elevation of privilege vulnerability (CVE-2025-21275) affecting the Windows App Package Installer (WAPI) that could allow attackers to gain SYSTEM-level privileges on unpatched systems. This critical flaw impacts all supported Windows versions from Windows 10 20H2 through Windows 11 23H2.

Vulnerability Details

The vulnerability exists in how WAPI handles specially crafted .msix/.appx package installations. Researchers discovered that:

  • Malicious packages can bypass signature verification checks
  • Improper permission handling during installation allows privilege escalation
  • The flaw requires local access but no user interaction for exploitation
  • Successful exploitation grants full SYSTEM privileges

Microsoft has rated this vulnerability as 9.8/10 (Critical) on the CVSS v3.1 scale due to its low attack complexity and high impact potential.

Affected Systems

All Windows versions using WAPI for package management are vulnerable:

  • Windows 10 versions 20H2 through 22H2
  • Windows 11 versions 21H2 and 23H2
  • Windows Server 2022
  • Windows Server 2019 (when AppX features are enabled)

Notably, systems with:

  • AppLocker configured to block MSIX/APPX installations
  • Windows Defender Application Control (WDAC) policies
  • Disabled AppX Deployment Service

are partially protected but should still apply the patch.

Exploitation Scenarios

Security researchers have identified several potential attack vectors:

  1. Malicious Package Installation: Attackers could distribute trojanized MSIX packages through:
    - Compromised software repositories
    - Spear-phishing attachments
    - Fake software update prompts

  2. Local Privilege Escalation: Malware already running with user privileges could:
    - Escape sandboxes
    - Disable security controls
    - Establish persistence

  3. Supply Chain Attacks: Compromised developer tools could inject vulnerable packages during build processes.

Mitigation and Patch Information

Microsoft released patches on February 11, 2025 as part of Patch Tuesday updates:

Windows Version KB Article Update Type
Windows 10 20H2 KB5034853 Security-only
Windows 10 21H2 KB5034854 Monthly Rollup
Windows 11 22H2 KB5034855 Cumulative Update
Windows 11 23H2 KB5034856 Cumulative Update

Temporary Workarounds

For organizations that cannot immediately patch:

  1. Disable the AppX Deployment Service:
    powershell Stop-Service -Name AppXSvc -Force Set-Service -Name AppXSvc -StartupType Disabled

  2. Configure WDAC Policies:
    - Block all MSIX/APPX installations
    - Allow only Microsoft-signed packages

  3. Network Protection:
    - Block MSIX downloads at firewall level
    - Enable Attack Surface Reduction rules

Detection and Response

Security teams should monitor for these indicators:

  • Event Logs:
  • AppXDeployment-Server/Admin logs with Event ID 6005-6007

  • Unexpected package installations (Event ID 64)

  • File System:

  • New .msix/.appx files in %TEMP% or unusual locations

  • Modified registry keys under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx

  • Process Monitoring:

  • AppXSvc spawning unexpected child processes
  • PowerShell/Cmd executing after package installation

Microsoft Defender for Endpoint and other EDR solutions have added detection rules for this vulnerability (Alert ID: 4002015).

Historical Context

This marks the third critical WAPI vulnerability in 18 months:

  1. CVE-2023-36038 (November 2023) - Similar EoP flaw
  2. CVE-2024-21345 (January 2024) - Signature bypass
  3. CVE-2025-21275 (Current) - Combined bypass + EoP

The pattern suggests attackers are increasingly targeting Windows package management systems as a privileged attack surface.

Best Practices for Protection

  1. Patch Immediately: Prioritize deployment of February 2025 updates
  2. Harden WAPI:
    - Enable package signature enforcement
    - Configure AppLocker/WDAC policies
  3. Monitor Installations: Audit all MSIX/APPX package deployments
  4. User Training: Educate staff about risks of unsigned packages
  5. Defense in Depth: Combine with other mitigations like:
    - Controlled Folder Access
    - Attack Surface Reduction rules
    - Privileged Access Workstations

Microsoft has stated they are working on architectural improvements to WAPI to prevent similar vulnerabilities in future releases.