November 26, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
NVIDIA Isaac-GROOT Flaw Enables Malicious Code Injection
November 25, 2025Oracle Identity Manager RCE Bug Under Active Attack
November 26, 2025NVIDIA Isaac-GROOT Flaw Enables Malicious Code Injection
November 25, 2025Oracle Identity Manager RCE Bug Under Active Attack
November 26, 2025
Severity
High
Analysis Summary
A critical remote code execution (RCE) vulnerability was discovered in Microsoft’s Update Health Tools (KB4023057), a widely deployed Windows component used to accelerate security updates through Intune. The flaw arises from the tool’s reliance on Azure Blob storage accounts, which follow a predictable naming pattern (payloadprod0 through payloadprod15.blob.core.windows.net) to fetch configuration files and commands. Researchers found that 10 out of these 15 storage accounts were left unregistered and unused, creating an attack surface that could be exploited by malicious actors.
The vulnerability affects version 1.0 of Update Health Tools, where the uhssvc.exe service actively resolves these Azure domains across enterprise environments. By registering the abandoned storage accounts, researchers observed more than 544,000 HTTP requests within seven days from nearly 10,000 unique Azure tenants worldwide. The critical risk stems from the tool’s ExecuteTool action, which allows execution of Microsoft-signed binaries. Attackers can craft malicious JSON payloads that point to legitimate Windows executables, such as explorer.exe, enabling arbitrary code execution on vulnerable systems.
Microsoft addressed the vulnerability in version 1.1, which routes update commands through a proper web service (devicelistenerprod.microsoft.com). However, backward-compatibility options may still leave some systems exposed. The researcher responsibly reported the issue to Microsoft on July 7, 2025, with Microsoft confirming the behavior on July 17. Researchers from HashiCorp transferred ownership of all compromised storage accounts back to Microsoft on July 18, 2025, effectively closing the primary attack vector.
Organizations are advised to upgrade to the latest version of Update Health Tools and ensure no legacy configurations remain enabled. Security teams should monitor for unusual network traffic to Azure Blob storage endpoints originating from update services, as such behavior could indicate exploitation attempts. Properly maintaining updated components and monitoring enterprise networks are critical steps to prevent exploitation of this RCE vulnerability.
Impact
- Code Execution
- Gain Access
Affected Vendors
Microsoft
Remediation
- Update Microsoft Update Health Tools to the latest version (v1.1 or above) across all endpoints.
- Remove or disable any legacy configurations that rely on Update Health Tools version 1.0.
- Block or monitor network traffic to suspicious Azure Blob storage endpoints matching the pattern payloadprod*.blob.core.windows.net.
- Implement strict outbound traffic monitoring on update-related services to detect abnormal connections.
- Validate the integrity and expected behavior of the uhssvc.exe service on all Windows systems.
- Deploy endpoint detection and response (EDR) rules to flag abnormal execution of Microsoft-signed binaries triggered by update tools.
- Review security policies in Intune and ensure no outdated device management configurations persist.
- Conduct a full configuration audit of update services to verify no unauthorized domains or endpoints are being contacted.
- Enforce least privilege on systems running update services to minimize impact in case of exploitation.
- Ensure that incident response teams are aware of the vulnerability and prepared to respond to suspicious blob storage activity.