A critical remote code execution (RCE) vulnerability in Microsoft’s Update Health Tools (KB4023057). A widely deployed Windows component designed to expedite security updates through Intune.
The flaw stems from the tool connecting to dropped Azure Blob storage accounts that attackers could register and control.
How the Vulnerability Works
The vulnerability exists in version 1.0 of the Update Health Tools, which uses Azure Blob storage accounts following a predictable naming pattern (payloadprod0 through payloadprod15.blob.core.windows.net) to fetch configuration files and commands.
Eye Security researchers found that Microsoft had left 10 of the 15 storage accounts unregistered and unused.
After registering these abandoned endpoints, the researchers observed over 544,000 HTTP requests within seven days from nearly 10,000 unique Azure tenants worldwide.
The tool’s uhssvc.exe service, located at C:Program FilesMicrosoft Update Health Tools, was actively resolving these domains across multiple enterprise environments.
The critical issue lies in the tool’s “ExecuteTool” action, which allows execution of Microsoft-signed binaries.
By crafting malicious JSON payloads that point to legitimate Windows executables such as explorer.exe, attackers can achieve arbitrary code execution on vulnerable systems.
The newer version 1.1 implements a proper web service at devicelistenerprod.microsoft.com, though backward-compatibility options could still expose systems.
Eye Security reported the vulnerability to Microsoft on July 7, 2025, and Microsoft confirmed the behavior on July 17.
Hashicorp researchers transferred ownership of all compromised storage accounts back to Microsoft on July 18, 2025, effectively closing the attack vector.
Organizations should ensure they are running the latest version of Update Health Tools and verify no legacy configurations remain enabled.
Security teams should monitor for unusual network traffic to Azure Blob storage endpoints from update services.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
