Microsoft has published an advisory identifying CVE-2025-55317, a local elevation-of-privilege flaw in Microsoft AutoUpdate (MAU) caused by improper link resolution before file access — commonly described as a link-following or symlink/junction weakness — that can allow an authorized local attacker to escalate to higher privileges on an affected host. The issue affects MAU’s file-access logic and, according to the vendor advisory, occurs when the updater follows attacker-controlled reparse points (or otherwise resolves links) before validating or restricting the privileged file operation, enabling the attacker to coerce MAU into performing writes or replacements in protected locations. The advisory for CVE-2025-55317 is hosted on the Microsoft Security Response Center.
This pattern is well understood: trusted maintenance utilities, installer services, and auto-update agents routinely combine elevated privileges with operations touching user-writable directories. When they do not canonicalize and validate targets (ownership, existence, and expected path), they become an elevation vector. Recent MAU advisories show Microsoft patching variants of this class repeatedly, underscoring the recurring nature of the risk.
Background
What is Microsoft AutoUpdate (MAU)?
Microsoft AutoUpdate (MAU) is Microsoft’s updater for non-Windows platforms (notably macOS) and for certain Microsoft apps. It runs background checks, downloads update payloads and executes update actions — tasks that inherently require elevated file operations and, in some configurations, root-level access. Because MAU runs with trusted privileges to modify application files and system resources, any bug in its file-handling or privilege checks is a high-value target for local attackers and malware authors. This class of issue has appeared multiple times across MAU advisories in 2024–2025, showing a recurring pattern around unsafe file operations and privilege management. (app.opencve.io)What “link following” means and why it matters
A link-following vulnerability arises when privileged code performs file operations (create, write, move, delete, or load) and mistakenly follows filesystem reparse points — symbolic links, junctions, or other reparse types — that were created by a less-privileged user. If MAU resolves a reparse point that points to a protected system path or another user’s resource, the privileged operation can be redirected to an attacker-controlled target. This can result in overwriting system binaries, replacing configuration files, or planting malicious executables that will later be executed with higher privileges.This pattern is well understood: trusted maintenance utilities, installer services, and auto-update agents routinely combine elevated privileges with operations touching user-writable directories. When they do not canonicalize and validate targets (ownership, existence, and expected path), they become an elevation vector. Recent MAU advisories show Microsoft patching variants of this class repeatedly, underscoring the recurring nature of the risk.
The CVE-2025-55317 advisory — summary and verification
- Advisory headline (vendor): Improper link resolution before file access ('link following') in Microsoft AutoUpdate (MAU) allows an authorized attacker to elevate privileges locally.
- Affected component: Microsoft AutoUpdate (MAU).
- Impact: Local elevation of privilege (EoP) — attacker with some account-level access on the host can trick MAU into performing privileged file operations.
- Exploit vector: Local (requires the attacker to be able to run code or place files with their user permissions on the machine).
- Public exploit status: As of this advisory publication, no public proof-of-concept exploit was distributed by Microsoft; public exploit availability is often tracked in public CVE/NVD feeds (see note below). (msrc.microsoft.com, nvd.nist.gov, nvd.nist.gov, msrc.microsoft.com, app.opencve.io, Security Update Guide - Microsoft Security Response Center
