CVE-2025-61973: Epic Games Store Privilege Escalation

CVE-2025-61973 Overview

A local privilege escalation vulnerability exists during the installation of Epic Games Store via the Microsoft Store. This vulnerability allows a low-privilege user to replace a DLL file during the installation process, which may result in unintended elevation of privileges. The flaw stems from improper access control (CWE-284) during the software installation workflow, creating an opportunity for attackers with local access to escalate their privileges on the target system.

Critical Impact

A local attacker with low privileges can exploit this DLL replacement vulnerability during Epic Games Store installation to gain elevated system privileges, potentially leading to full system compromise.

Affected Products

• Epic Games Store (installation via Microsoft Store)
• Microsoft Store application deployment mechanism

Discovery Timeline

• 2026-01-15 - CVE CVE-2025-61973 published to NVD
• 2026-01-16 - Last updated in NVD database

Technical Details for CVE-2025-61973

Vulnerability Analysis

This vulnerability is classified under CWE-284 (Improper Access Control) and manifests during the Epic Games Store installation process when deployed through the Microsoft Store. The installation workflow fails to properly validate or protect DLL files that are loaded during the installation sequence, creating a window of opportunity for malicious DLL replacement.

The attack requires local access to the target system and can be exploited by a user with low-level privileges. When successful, the attacker can achieve privilege escalation that crosses security boundaries, potentially gaining access to protected system resources and compromising the confidentiality, integrity, and availability of the affected system.

Root Cause

The root cause of this vulnerability lies in improper access control during the Epic Games Store installation process. Specifically, the installation workflow does not adequately protect the directories or files involved in the DLL loading process, allowing a low-privilege user to substitute a legitimate DLL with a malicious one. This is a classic DLL hijacking scenario where insufficient file system permissions and lack of integrity verification combine to create an exploitable condition.

Attack Vector

The attack vector is local, requiring the attacker to have existing access to the target system with at least low-level user privileges. The exploitation scenario involves the following sequence:

1. The attacker identifies the installation directory or staging area used by the Epic Games Store installer
2. During the installation process, the attacker replaces a legitimate DLL file with a malicious payload
3. The installer loads the malicious DLL with elevated privileges
4. The attacker's code executes in a privileged context, achieving privilege escalation

The vulnerability does not require user interaction beyond the normal installation process, and the attack complexity is considered low, making it accessible to moderately skilled attackers.

For detailed technical information about this vulnerability, refer to the Talos Intelligence Vulnerability Report.

Detection Methods for CVE-2025-61973

Indicators of Compromise

• Unexpected DLL files appearing in Epic Games Store installation directories with recent timestamps
• Modified DLL files with hashes that don't match known-good Epic Games Store installation packages
• Process creation events showing unusual child processes spawned from the Epic Games Store installer
• Privilege escalation events associated with the Microsoft Store or Epic Games installation processes

Detection Strategies

• Monitor file system activity in installation staging directories for unauthorized file modifications during software deployment
• Implement file integrity monitoring on directories associated with Microsoft Store application installations
• Deploy endpoint detection rules that alert on DLL loading anomalies during application installation processes
• Utilize SentinelOne's behavioral AI to detect privilege escalation patterns associated with DLL hijacking attacks

Monitoring Recommendations

• Enable detailed logging for Windows Installer and Microsoft Store deployment activities
• Configure alerts for file modifications in %ProgramFiles%, %ProgramFiles(x86)%, and temporary installation directories during Epic Games Store deployments
• Monitor Windows Event Logs for process creation events (Event ID 4688) associated with installation processes
• Review Sysmon logs for DLL loading events (Event ID 7) from installation-related processes

How to Mitigate CVE-2025-61973

Immediate Actions Required

• Restrict local access to systems where Epic Games Store is being installed to trusted administrators only
• Ensure installation processes are performed by verified administrators in a controlled environment
• Implement application whitelisting to prevent unauthorized DLL execution during installation
• Review and harden file system permissions on directories used during software installation

Patch Information

Organizations should monitor the Talos Intelligence Vulnerability Report for updates on vendor patches or official remediation guidance from Epic Games. Until a patch is available, implement the workarounds and mitigations described below.

Workarounds

• Avoid installing Epic Games Store via the Microsoft Store on multi-user systems until a patch is released
• Install Epic Games Store using the standalone installer from the official Epic Games website on isolated, single-user systems
• Implement strict access controls on installation directories to prevent unauthorized file modifications
• Use Windows Defender Application Control (WDAC) or AppLocker policies to restrict DLL loading to signed, trusted libraries

# Example: Restrict permissions on common installation staging directories
icacls "C:\Program Files\WindowsApps" /inheritance:r /grant:r "SYSTEM:(OI)(CI)F" "Administrators:(OI)(CI)F"