A high-severity vulnerability has been identified in the Microsoft Store's installation process for the Epic Games Store. This flaw allows a local user with standard access to a computer to exploit the installer and gain full administrative privileges. Successful exploitation could lead to a complete system compromise, allowing an attacker to install malware, steal data, or disrupt operations.

This is a local privilege escalation (LPE) vulnerability that occurs due to improper permission handling during the installation of the Epic Games Store application via the Microsoft Store. The installation process is likely executed with elevated privileges (e.g., NT AUTHORITY\SYSTEM). An authenticated attacker with standard user permissions can exploit this by manipulating the installation path or files, potentially using techniques like a symbolic link attack or DLL hijacking, to trick the high-privileged installer into executing arbitrary code or overwriting protected system files, resulting in the attacker gaining SYSTEM-level privileges.

This vulnerability is rated as High severity with a CVSS score of 8.8. A successful exploit would allow an attacker who has already gained initial low-privileged access to a workstation to escalate their privileges to the highest level on the system. This would bypass security controls and could lead to a complete system compromise, enabling the attacker to steal sensitive data, install persistent malware like ransomware or rootkits, disable security software, and use the compromised machine as a pivot point to attack other systems on the corporate network.

Immediate Action: Organizations must apply the security updates released by Microsoft to all affected systems immediately. Following patching, a review of user account permissions should be conducted to ensure the principle of least privilege is enforced, limiting the attack surface for similar local exploits.

Proactive Monitoring: Monitor for anomalous process creation originating from the Microsoft Store installer services. Security teams should review Windows Event Logs (Security and System logs) for unauthorized privilege escalation events (e.g., Event ID 4672) and unexpected modifications to critical system files in directories like C:\Windows\System32. Endpoint Detection and Response (EDR) solutions should be tuned to detect common LPE techniques.

Compensating Controls: If patching cannot be performed immediately, consider implementing application control policies (e.g., AppLocker, WDAC) to restrict non-essential users from installing applications from the Microsoft Store. Enhance endpoint monitoring on unpatched systems, focusing specifically on file and process activity related to application installations.

Public Exploit Available: false

Given the high CVSS score of 8.8 and the critical impact of a successful exploit, this vulnerability presents a significant risk to the organization. A local attacker could gain full administrative control, leading to a complete compromise of the affected endpoint. While this vulnerability is not currently on the CISA KEV list, its severity demands immediate action. We strongly recommend prioritizing the deployment of the vendor-supplied patches across all affected assets and subsequently verifying successful patch installation.