CVE-2024-28916: Xbox Gaming Services link-follow EoP explained

Title: CVE confusion and the real risk — Xbox Gaming Services “link following” elevation-of-privilege explained
Lede

• Short version for busy admins: the Xbox Gaming Services elevation‑of‑privilege flaw widely discussed in 2024/2025 is indexed publicly as CVE-2024-28916 (CWE‑59: Improper link resolution before file access). It allows a locally‑authorized, low‑privilege user to abuse link‑following behavior in the Gaming Services component to escalate to higher privileges; Microsoft published an advisory and has issued fixes. (msrc.microsoft.com) (nvd.nist.gov)
• Note for the reader who supplied CVE‑2025‑55245: public trackers and Microsoft’s advisory show this defect under CVE‑2024‑28916; the MSRC page is a dynamic app and CVE identifiers in URLs or summaries can sometimes be transposed or rendered in ways that confuse copy/paste — verify the CVE on the vendor page and NVD before taking action. (msrc.microsoft.com)

Why this matters (quick background)

• Elevation‑of‑privilege (EoP) bugs let a lower‑privilege actor obtain greater rights on the local machine; those rights can be used to disable protections, install persistent malware, or move laterally. The Xbox Gaming Services issue is specifically an improper link‑resolution (CWE‑59) problem — sometimes called “link following” — which arises when code opens or manipulates file system entries without securely resolving symbolic links / reparse points first. When that resolution is mishandled, an attacker can coerce file operations to act on files they shouldn’t control. (nvd.nist.gov)

The authoritative record (what the trackers say)

• Microsoft listed the issue in its Security Update Guide; public vulnerability databases consolidated the entry as CVE‑2024‑28916 with the problem type CWE‑59 and assigned a high impact score (CVSS v3.1 base score 8.8 in Microsoft’s CNA data). The affected component is “Xbox Gaming Services” with affected versions recorded as earlier builds (v19.0.0.0 up to, but excluding, 19.87.13001.0 in the published CPE range). (msrc.microsoft.com) (cve.circl.lu, nvd.nist.gov)

Timeline and disclosure context (what happened, when)

• Public reporting and researcher disclosures: the technical details and a proof‑of‑concept were disclosed publicly in March 2024; third‑party reporting indicates an independent researcher published a PoC and video demonstrating the exploit, after initially reporting to Microsoft. After the public disclosure the issue was triaged and Microsoft released advisory/patch guidance within days. If you are tracking exploitability or active abuse, note that the public disclosure raised the exploitability rating and motivated rapid vendor mitigation. (securityweek.com, nvd.nist.gov)

Technical anatomy — how a link‑following (CWE‑59) exploit works, in plain English

• What “link following” means in practice: a process receives a path (for example, C:\ProgramData\GamingServices\foo\bar\config.json) and performs an operation like open(), write(), rename(), or delete(). If the component doesn’t securely check for symbolic links, junctions, or reparse points during that operation (or it resolves them incorrectly under race conditions), an attacker can replace a benign target with a link to a protected resource and make the component perform the operation on the attacker’s chosen target (for example, a system file or service config). That mismatch is the core of CWE‑59. (nvd.nist.gov)
• Typical exploit primitives used by researchers: (1) create controlled file entries or reparse points in locations the service will process; (2) wait for the service to perform a file operation; (3) cause the operation to act on an attacker‑chosen file (move/write/delete) that yields elevated access or allows code execution. Researchers have demonstrated these as local attacks where a user with limited privileges causes a higher‑privilege service to move or overwrite files it shouldn’t. (securityweek.com)

Who/what is affected

• Product: Microsoft Xbox Gaming Services component (desktop/service component on Windows platforms that installs in some scenarios). The public metadata shows version ranges: starting from 19.0.0.0 up to the fixed threshold (19.87.13001.0) per the published CPE data — confirm exact build numbers in your environment against Microsoft’s advisory. (cve.circl.lu)
• Attack vector: Local. An attacker must be able to run code or take actions on the host (for example, a standard (non‑admin) local user account), not a remote unauthenticated adversary. That said, local vectors are significant in multi‑user environments, development hosts, shared consoles, or where untrusted code can run. (nvd.nist.gov)

Exploitability & observed public activity

• Public PoC: independent reporting shows a proof‑of‑concept was released publicly and was rapidly confirmed by other researchers. That public PoC increases the risk profile (researchers and defenders should assume easier reproduction). Microsoft treated the issue as Important and worked to produce fixes after the disclosure. (securityweek.com, msrc.microsoft.com)
• Exploited in wild? No widely‑reported, confirmed in‑the‑wild exploitation campaigns were announced at the time of the vendor advisory, but public PoCs and the low privileges required make the issue one to patch urgently. Track the vendor and CISA/NVD notifications for later changes to “exploit observed” status. (securityweek.com, nvd.nist.gov)

Patching, mitigation, and immediate triage steps
1) Confirm the exact advisory/CVE in your environment

• Don’t rely solely on a copied CVE number from a screenshot or URL: check Microsoft’s Security Update Guide entry for the Xbox Gaming Services advisory and the NVD/CNAs for the consolidated CVE record. Several community trackers and vendor pages converge on CVE‑2024‑28916 as the authoritative index for this defect. (If you saw a different CVE in an MSRC URL, that can be a rendering or mapping artifact — verify.) (msrc.microsoft.com)

2) Apply vendor fixes

• If your systems run the affected Gaming Services versions, deploy Microsoft’s update for Xbox Gaming Services (the MSRC advisory lists the fixed packages / KBs). Follow your standard change control: stage → test → deploy. The advisory and update catalog are the authoritative sources for KB numbers and package builds. (msrc.microsoft.com)

3) Short compensating controls (if you cannot patch immediately)

• Limit who can log on locally: restrict local account creation and remove excess local privileges where practicable.
• Limit the Gaming Services process’ ability to access sensitive directories (file ACLs) while you patch, if possible, and validate no business‑critical function is broken.
• Use host EDR rules to alert on suspicious file moves/writes originating from the Gaming Services process or unexpected attempts to modify system service files. (Practical mitigations must be tested — do not deploy aggressively in production without validation.)
• If Gaming Services is not required in your environment, consider disabling the service until you can patch — but test for side effects (store/Game‑pass functions may depend on it). These are operational-level decisions aligned with typical vendor remediation playbooks.

Detection and hunting guidance (practical queries)

• Look for anomalous file operations performed by the Gaming Services service identity: unexpected renames, moves, or file overwrites in system folders (Windows\System32, ProgramData, services directories).
• Monitor process trees and module loads: attempts by low‑privilege processes to trigger Gaming Services to touch protected files may show as unusual IPC, RPC, or Service Control Manager events.
• Correlate with discovery: sudden service restarts, elevated privileges obtained by previously low‑privileged accounts, or policy changes shortly after Gaming Services activity are suspicious.
• If you have EDR, create an alert for Gaming Services (by service/executable name) performing file modifications outside its normal install/data paths. Use controlled test runs in staging before enabling in production to tune false positives. (See vendor advisory pages for the exact service/executable names to target.) (msrc.microsoft.com)

Risk assessment and recommended priority

• Why patch quickly: local EoP with low privileges required and public PoC raise a high risk for multi‑user and developer hosts; the CVSS and vendor CNA data reflect the high confidentiality/integrity impact if exploited. Prioritize rolling out the vendor fix to all endpoints where Gaming Services is installed. (nvd.nist.gov, cve.circl.lu)

Clarifying the CVE identifier mismatch you might have hit

• If you supplied CVE‑2025‑55245 (or saw it in an MSRC URL), be aware that public trackers and Microsoft’s CNA list the Gaming Services link‑following issue under CVE‑2024‑28916. MSRC pages are dynamic single‑page applications and sometimes present mappings or placeholders that cause confusion when copied; community archives and internal forum notes also warn about transposed or transient CVE numbers in some MSRC URLs, so always confirm the canonical CVE on Microsoft’s advisory page and on NVD/CNA. (nvd.nist.gov)

What defenders should do — checklist (concise)

• Inventory: locate systems where Xbox Gaming Services is installed (check appx/package lists and service names).
• Verify: match installed Gaming Services build numbers against the fixed build (the advisory lists the fixed threshold). (cve.circl.lu)
• Patch: deploy Microsoft’s update as soon as feasible following normal change control. (msrc.microsoft.com)
• Hunt: enable alerts for Gaming Services performing unexpected file operations; search recent logs for suspicious rename/move/delete activity.
• Compensate: restrict local logon and tighten ACLs temporarily if patching is delayed.

What researchers and developers can learn from this flaw

• Filesystem operations are a frequent source of privilege escalation when link/junction resolution or race conditions are ignored. Use safe APIs where available, check the final resolved path against an allowlist, use atomic operations where possible, and apply TOCTOU‑aware design (avoid time‑of‑check/time‑of‑use races). Consider least privilege for service identities and design services so that they never need to perform privileged file writes on arbitrary client‑supplied paths. The CWE‑59 class remains a practical, recurring pattern; mitigate with secure path resolution and strict ACLs. (nvd.nist.gov)

Further reading and trackers (for your research list)

• Microsoft Security Update Guide (advisory entry for the Xbox Gaming Services issue — verify the KB/build IDs on the page). (msrc.microsoft.com)
• NVD / CVE canonical entry for CVE‑2024‑28916 (CWE and CVSS metadata summarized). (nvd.nist.gov)
• Community and media coverage documenting the disclosure, PoC, and researcher timeline that prompted the rapid vendor fix. (securityweek.com)

Final note — a pragmatic reminder about CVE IDs and vendor pages

• Vendors’ advisory portals are authoritative, but they are often dynamic, updated frequently, and may present identifiers in ways that look like different CVE numbers. If you or your tools show a CVE that does not match widely indexed trackers, pause and verify across MSRC, NVD, and your internal inventory before acting. In this case, the public consensus and vendor CNA data point to CVE‑2024‑28916 as the Xbox Gaming Services link‑following EoP item — patch accordingly. (msrc.microsoft.com, nvd.nist.gov)

If you’d like

• I can: (A) produce a one‑page, printer‑friendly remediation checklist for your sysadmins with exact commands to detect the Gaming Services package and verify installed build numbers; (B) produce sample EDR detection rules (YARA/EDR hunt queries) tuned for common Gaming Services file‑operation indicators; or (C) walk an incident response playbook to help investigate whether a given host was exploited before the patch. Tell me which you prefer and any constraints (EDR vendor, management platform, patch window) and I’ll draft it.

---

Source: MSRC Security Update Guide - Microsoft Security Response Center