Windows Update Stack EoP — Reintroduce Previously-Patched Vulnerabilities by Rolling Back Updates (CVE-2024-38202)
An elevation-of-privilege flaw in the Windows Update stack lets a low-privilege user trick an administrator into rolling back security patches, reintroducing previously-fixed vulnerabilities (including VBS/Credential Guard bypasses). Disclosed at BlackHat 2024 as "Windows Downdate". Apply the October 2024 cumulative and the WinRE update.
An attacker who has obtained local user access can downgrade specific security-critical components, undoing the protection of recent patches. The most dangerous use is to disable VBS-based protections so that subsequent credential-theft attacks (LSASS dumping, NTLM relay, Kerberoasting variants) succeed against a system the defender believes is fully protected. Because the rollback is performed through legitimate Windows Update / restore mechanisms, the attack leaves minimal signal in EDR.
A design flaw in the Windows Update Stack's restore and recovery code lets an attacker with low privileges craft a malicious "update" payload that the administrator can be tricked into applying via system restore or recovery operations. The result is that previously-installed security patches are rolled back, reintroducing any vulnerability those patches fixed — including bypasses of Virtualization-Based Security (VBS) and Credential Guard. Affected: Windows 10/11 and Windows Server 2016 through Windows Server 2025 prior to the October 2024 Patch Tuesday plus the WinRE update.
Probably yes if any of these apply:
Affected OS versions
SafeBreach's Alon Leviev demonstrated the full "Windows Downdate" technique at Black Hat USA and DEF CON 32 on 7 August 2024 — the same day Microsoft published the advisory but two months before the patch shipped. Leviev open-sourced a working exploit framework. The companion CVE-2024-21302 (Secure Kernel Mode EoP) closes the same downgrade primitive at a different layer. Microsoft completed the full mitigation chain in July 2025 with KB5042562 guidance for blocking VBS-related rollback.
Manual remediation steps
⏱ 90 minutes including WinRE update and rebootApply the October 2024 cumulative update
CVE-2024-38202 to find the current superseding cumulative for your OSUpdate the Windows Recovery Environment (WinRE)
# WinRE must be updated separately — the October 2024 cumulative update does
# NOT automatically patch WinRE on all SKUs. Use the corresponding KB for your OS:
# Server 2022 / Azure Stack HCI 22H2 → KB5046399
# Windows 11 21H2 → KB5046398
# Windows 10 21H2 / 22H2 → KB5046400
#
# Verify WinRE image status:
reagentc /info
# Apply the WinRE update following the KB-specific guidance — the process
# differs from a normal cumulative because it has to mount the recovery image.
Defence-in-depth — apply the VBS rollback block (KB5042562)
# Microsoft published KB5042562 (July 2025) with guidance on deploying the
# signed revocation policy that blocks vulnerable VBS system files. Follow
# the KB instructions to stage SkuSiPolicy.p7b on every protected host.
Verify
# Confirm OS build is at or above the October 2024 level:
[System.Environment]::OSVersion.Version
(Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion").UBR
# Confirm WinRE version was updated:
reagentc /info
No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.
References