A flaw in Microsoft’s Update Health Tools exposed Windows devices to remote code execution by exploiting abandoned Azure Blob Storage accounts.
This tool, detailed in KB4023057, helps enterprises deploy updates faster via Intune. However, it also supports trusted unverified JSON configs from hijackable storage.
Security firm Eye Security uncovered the issue after registering unused accounts, such as payloadprod0.blob.core.windows.net.
Attack Mechanics
Update Health Tools runs uhssvc.exe from C:\Program Files\Microsoft Update Health Tools, a Microsoft-signed binary that fetches configs from predictable Azure endpoints.
In version 1.0, it queries paths like /<tenant_hash>/enrolled.json and /<tenant_hash>/Devices/<device_hash>.json to check enrollment and policies.
Attackers who claim orphaned accounts serve fake JSON with “EnterpriseActionType”: “ExecuteTool”, directing the execution of signed binaries such as explorer.exe.
The service verifies embedded Microsoft signatures but allows explorer.exe, which attackers abuse by passing parameters to launch payloads such as calc.exe.
Version 1.1 shifts to devicelistenerprod.microsoft.com but keeps blob fallback via registry keys like UHS.ENABLEBLOBDSSCHECK=1.
Global requests hit unregistered blobs, confirming widespread exposure in Entra-joined setups.
Scale and Fixes
Eye Security logged 544,386 requests over seven days from 10 accounts, spanning 9,976 Azure tenants.
Among them, 8,536 checked enrollment, while 3,491 tenants had 40,973 devices fetch policies.
| Metric | Count |
| Total HTTP Requests | 544,386 |
| Unique Tenants | 9,976 |
| Enrollment Checks | 8,536 |
| Policy-Fetching Devices | 40,973 |
Researchers disclosed on July 7, 2025; Microsoft confirmed on July 17, and Microsoft took ownership of the accounts on July 18.
Update to the latest tools, turn off blob fallback, and audit external dependencies to mitigate. Windows 11 24H2 removes the tool entirely.
