How the “Downdate” Attack Rolls Back Windows Updates to Exploit Old Vulnerabilities

During the Black Hat security conference in Las Vegas, SafeBreach researcher Alon Leviev presented a new downgrade attack, dubbed “Downdate,” that exploits a flaw in the Windows update process to revert the operating system and key components to older, vulnerable versions.

Motivation and Background

Leviev’s investigation was sparked by the 2022 BlackLotus UEFI bootkit, which achieved persistence by downgrading the Windows boot manager to a vulnerable version. This motivated him to explore whether similar downgrade paths could be found within the Windows update infrastructure.

Technical Mechanics of the Downgrade

By deeply analyzing the Windows update workflow, Leviev discovered that the system places update requests in a special folder that is later validated by Microsoft’s update servers. The server creates a controlled “pending.xml” file that lists the steps for applying the update, including which files to replace and where to store new code.

Although the server‑side folder is protected, the client‑side “pending.xml” contains an entry called PoqexecCmdline that is not locked down. Leviev demonstrated that by manipulating this entry, an attacker can alter the update plan without the server’s knowledge, effectively steering the update process to install older binaries.

Components Subject to Downgrade

The attack can target a wide range of components, including hardware‑related drivers, system DLLs, and the NT kernel itself. Leviev also showed that security‑critical modules such as the Windows security kernel, Credential Guard, the hypervisor‑based virtual machine monitor, and the Virtualization‑Based Security (VBS) framework can be rolled back to versions containing known, patched vulnerabilities.

Impact and Threat Landscape

While the technique does not provide a direct remote‑access vector, it enables an attacker who already has limited foothold on a machine to re‑introduce a large number of historic vulnerabilities, potentially achieving full system control. Microsoft has not observed active exploitation of this method in the wild.

Mitigation Efforts

Microsoft responded that it is developing mitigations, including the careful removal of vulnerable VBS system files and extensive testing across affected Windows versions to minimize disruption while protecting customers.

Conclusion

The “Downdate” research highlights a critical, previously under‑examined attack surface in the trusted Windows update mechanism, underscoring the need for developers and defenders to monitor downgrade pathways and improve detection of stealthy update‑based compromises.

Reference: https://www.wired.com/story/windows-update-downdate-exploit/