SafeBreach security researcher Alon Leviev exposed two security vulnerabilities that could be exploited to perform downgrade attacks on fully updated Windows systems.
The technique effectively “unpatch” systems, reintroducing previously fixed vulnerabilities and rendering the notion of a “fully patched” Windows machine virtually meaningless.
The vulnerabilities, tracked as CVE-2024-38202 and CVE-2024-21302, affect Windows 10, Windows 11, and Windows Server platforms.
Leviev demonstrated how attackers could exploit these flaws to subvert the Windows Update process itself. Using a custom tool he developed, dubbed “Windows Downdate,” Leviev showed that it is possible to force an up-to-date Windows system to roll back critical components—such as dynamic link libraries (DLLs) and even the NT Kernel—to older, vulnerable versions. Despite these downgrades, the Windows Update service falsely reports that the system is fully updated.
As Leviev explained, the downgrade attack is undetectable because it cannot be blocked by endpoint detection and response (EDR) solutions, and it’s also invisible since Windows Update reports that a device is fully updated.
By downgrading key components like Credential Guard's Secure Kernel, the Isolated User Mode Process, and Hyper-V's hypervisor, the researcher managed to expose the systems to a multitude of past privilege escalation vulnerabilities. In essence, the attack reintroduces fixed vulnerabilities as though they were new, effectively turning them into zero-days once more.
Microsoft has published security advisories addressing the two unpatched vulnerabilities. The advisories provide temporary mitigations to reduce the risk of exploitation while the company works on a permanent fix.
Microsoft said that it is not currently aware of any active attempts to exploit these vulnerabilities in the wild.
