Eye Security has discovered a potentially critical vulnerability in the Windows Update Health Tools, which could have affected thousands of business devices.
Researchers from Eye Security have discovered a vulnerability in Microsoft’s Windows Update Health Tools that allowed remote code execution. This service is automatically deployed via Windows Update to improve the reliability of the update process. According to Eye Security, a potential catastrophe was averted.
In a blog, the Dutch security company extensively describes where things went wrong. An older version of the tool continued to retrieve files from Azure endpoints that Microsoft no longer managed. Under the right circumstances, attackers could use these storage locations to offer malicious files that the tool would then execute, with all the consequences that entail. The vulnerability could potentially affect thousands of companies.
Unmanaged Servers
The discovery began when Eye Research identified an abandoned Azure storage domain that was still being actively called. After registering the domain, structured requests from systems worldwide started coming in within a few hours. The predictable naming pattern indicated that several similar endpoints still existed. In total, ten of these locations received more than half a million requests from nearly ten thousand Azure tenants.
In a controlled test, the researchers demonstrated that the tool executed commands from this unmanaged storage under specific conditions, enabling remote code execution. The situation shows how a routine update procedure can become a blind spot. The software continued to rely on infrastructure that was no longer under control, without warning or active monitoring.
Vulnerability Patched
The researchers reported the vulnerability to Microsoft. All involved storage locations have been transferred, making further abuse impossible.
According to Eye Research, this underscores the importance of an ‘assume breach’ approach: systems and infrastructure age, and uncontrolled dependencies can lead to security risks. Even known software components can be vulnerable when underlying systems disappear without notice.