Windows Downgrade attack exposes fully patched systems to old flaws

Windows Downgrade attack exposes fully patched systems to old flaws

SafeBreach security researcher Alon Leviev exposed two security vulnerabilities that could be exploited to perform downgrade attacks on fully updated Windows systems.

The technique effectively “unpatch” systems, reintroducing previously fixed vulnerabilities and rendering the notion of a “fully patched” Windows machine virtually meaningless.

The vulnerabilities, tracked as CVE-2024-38202 and CVE-2024-21302, affect Windows 10, Windows 11, and Windows Server platforms.

Leviev demonstrated how attackers could exploit these flaws to subvert the Windows Update process itself. Using a custom tool he developed, dubbed “Windows Downdate,” Leviev showed that it is possible to force an up-to-date Windows system to roll back critical components—such as dynamic link libraries (DLLs) and even the NT Kernel—to older, vulnerable versions. Despite these downgrades, the Windows Update service falsely reports that the system is fully updated.

As Leviev explained, the downgrade attack is undetectable because it cannot be blocked by endpoint detection and response (EDR) solutions, and it’s also invisible since Windows Update reports that a device is fully updated.

By downgrading key components like Credential Guard's Secure Kernel, the Isolated User Mode Process, and Hyper-V's hypervisor, the researcher managed to expose the systems to a multitude of past privilege escalation vulnerabilities. In essence, the attack reintroduces fixed vulnerabilities as though they were new, effectively turning them into zero-days once more.

Microsoft has published security advisories addressing the two unpatched vulnerabilities. The advisories provide temporary mitigations to reduce the risk of exploitation while the company works on a permanent fix.

Microsoft said that it is not currently aware of any active attempts to exploit these vulnerabilities in the wild.

Back to the list

Latest Posts

Police crackdown shuts down major Kidflix platform hosting child sexual abuse material

Police crackdown shuts down major Kidflix platform hosting child sexual abuse material

As a result of the operation, 79 arrests were made, 1,393 suspects identified, and over 3,000 electronic devices seized.
2 April 2025
Ongoing campaign targets exposed PostgreSQL instances to deploy crypto miners

Ongoing campaign targets exposed PostgreSQL instances to deploy crypto miners

The campaign could involve over 1,500 compromised systems.
2 April 2025
DPRK IT worker threat expands beyond the US, focuses on Europe

DPRK IT worker threat expands beyond the US, focuses on Europe

The schemes come with new tactics, including extortion campaigns and corporate virtualized infrastructure compromises.
2 April 2025