Windows Downdate Attack Reverts Patched PCs to a Vulnerable State

Windows 11 machines remain open to downgrade attacks, where attackers can abuse the Windows Update process to revive a patched driver signature enforcement (DSE) bypass.

Fully patched Windows 11 systems are vulnerable to attacks that allow an adversary to install custom rootkits that can neutralize endpoint security mechanisms, hide malicious processes and network activity, maintain persistence and stealth on a compromised system, and more.
The assault involves a Windows OS
downgrade attack
technique that SafeBreach security researcher
Alon Leviev demonstrated at Black Hat USA 2024
in August, and for which he developed an exploit tool called Windows Downdate. Leviev showed how an attacker, with admin-level access to a system, could tamper with the Windows Update process and revert fully patched Windows components, including dynamic link libraries, drivers, and the kernel, back to a previously vulnerable state.
As part of the demo, the researcher
showed how the attack would work
even in situations where an organization might have enabled virtualization-based security (VBS) to protect critical OS components. As part of the demo, Leviev downgraded VBS features like Secure Kernel and Credential Guard’s Isolated User Mode Process to expose privilege escalation vulnerabilities in them that Microsoft had previously already addressed.
I was able to make a fully patched Windows machine susceptible to past vulnerabilities, turning fixed vulnerabilities unfixed and making the term fully patched meaningless on any Windows machine in the world, Leviev wrote in August.
Since then, Microsoft has patched two vulnerabilities (
CVE-2024-21302
and
CVE-2024-38202
) that Leviev reported to the company after discovering and exploiting them as part of his attack chain. However, Microsoft has so far not addressed the ability for an attacker with admin access to abuse the Windows Update process itself to downgrade critical OS components back to insecure states.
The issue has to do with Microsoft refusing to consider the ability for an admin-level user to gain kernel code execution as crossing a security boundary. Microsoft did fix every vulnerability that resulted from crossing a defined security boundary, Leviev tells Dark Reading. Crossing from administrator to the kernel is not considered a security boundary, and hence it was not fixed.
To show why that remains a threat, Leviev on Oct. 26
released details of a new Windows downgrade attack
he developed, where he used his Windows Downdate tool to revive a driver signature enforcement (DSE) bypass attack that Microsoft had mitigated with its patch for CVE-2024-21302. He showed how an attacker could abuse the issue to load unsigned kernel drivers and deploy bespoke rootkits.
The ItsNotASecurityBoundary DSE bypass belongs to a new class of flaws known as False File Immutability (FFI) that
researchers at Elastic Security
reported earlier this year, Leviev wrote in his Oct. 26 post. This class exploits incorrect assumptions about file immutability — specifically, that blocking write access sharing makes a file immutable.
Leviev says that all he had to do to execute the attack was to identify the specific OS module (CI.dll) to which Microsoft had applied the patch for CVE-2024-21302, and then use his Downdate tool to downgrade the module back to its unpatched version.
Downgrading only
ci.dll
to its unpatched version works well against a fully patched Windows 11 23h2 machine, Leviev wrote on Oct. 26. The researcher added he was able to exploit the issue even when VBS was enabled, with and without
UEFI lock for securing the boot process
and firmware configuration. To fully mitigate the attack, VBS needs to be enabled with UEFI lock and the Mandatory flag. Otherwise, it would be possible for an attacker to disable VBS, downgrade
ci.dll,
and successfully exploit the flaw, he noted.
In an emailed comment, Tim Peck, senior threat researcher at Securonix, described the Windows Downdate attacks as taking advantage of Windows not always validating the version numbers of its DLLs when loading them. This enables attackers to trick the operating system (OS) into using outdated files that are more susceptible to exploitation, he explained. If the attacker is able to downgrade Windows Defender, especially in regards to security updates, they would have free rein to execute malicious files or tactics that would normally have been caught.
A Microsoft spokesman noted in an email that the company is actively developing mitigations to protect against these risks, without specifying what measures it might be taking or when they would be available. The company is thoroughly investigating update development and compatibility development, he wrote.
We are developing a security update that will revoke outdated, unpatched VBS system files to mitigate this threat, he wrote. Due to the complexity of blocking such a large quantity of files, rigorous testing is required to avoid integration failures or regressions.
Microsoft will also continue to update information around
CVE-2024-21302
, he wrote, with additional mitigation or relevant risk reduction guidance as they become available.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Windows Downdate Attack Reverts Patched PCs to a Vulnerable State