Microsoft’s Update Health Tools Configuration Vulnerability Lets Attackers Execute Arbitrary Code Remotely

By AnuPriya
Publication Date: 2025-11-25 07:06:00

A critical security vulnerability in Microsoft Update Health Tools (KB4023057) has been discovered that could allow attackers to execute arbitrary code remotely on Windows devices by exploiting abandoned Azure Blob Storage accounts.

The flaw affects environments using the Update Health Service (uhssvc.exe), a Microsoft-signed component designed to help enterprises deploy security updates faster via Intune.

How the Attack Works

The Update Health Service, located at C:\Program Files\Microsoft Update Health Tools\uhssvc.exe, periodically connects to Azure Blob Storage to retrieve JSON configuration files that control update behavior.

In version 1.0 of Update Health Tools, the client contacted storage accounts named payloadprod0.blob.core.windows.net through payloadprod15.blob.core.windows.net.

Windows Update Health Tools 1.0 (KB4023057)

Security researchers at Eye Security discovered that several of these storage accounts were no longer under…

Facebook
Twitter
Pinterest
LinkedIn
Digg
Tumblr
Reddit
Buffer
Blogger
Newsvine
HackerNews
Flipboard
Share
LiveJournal
Yammer
Mix
Instapaper
Copy Link
Mastodon

How the Attack Works

Related Posts