Microsoft's July 2025 Patch Tuesday delivers a fix for a high-severity missing authorization vulnerability in the Windows StateRepository API, tracked as CVE-2025-49723. The bug lets an already authenticated local attacker tamper with system files, opening a reliable path to full privilege escalation. But even before patching begins, IT teams are tripping over a CVE identifier mismatch — some reports erroneously label the flaw as CVE-2025-53789 — threatening to derail vulnerability management workflows.

Administrators who move fast on this update close a door that leads straight from a low-privilege process to system-level compromise. The StateRepository API is a core Windows component that persists application and system state across sessions. By targeting the missing authorization check, an attacker on a machine can overwrite or poison configuration files that higher-privileged services later read and execute. The result: a classic elevation-of-privilege chain that grants full control.

Technical Breakdown: Missing Authorization Exposes Trusted Store

The flaw is classified as CWE-862 (Missing Authorization). The StateRepository API's server component fails to perform a proper access-control check before allowing file operations. In practice, a process running with low privileges can call the API and write to, modify, or replace state files that system services or high-integrity applications later consume.

The attack vector is local, meaning an attacker must have some form of authorized access to the machine — a standard user account, a low-integrity process, or a delegated identity will do. No user interaction is needed; the exploit can be fully automated. Microsoft's advisory confirms that the attacker does not require SYSTEM or administrative rights to reach the vulnerable API call.

Exploitation is straightforward in concept: the attacker uses the API to tamper with state-stored data, then waits for or actively triggers a privileged component to read that tainted data. Because the API is designed to manage configuration states for Windows components and apps, it is intrinsically trusted. Poisoning those inputs can lead to arbitrary code execution in a privileged context, service binary replacement, or DLL side-loading. Security researchers and vulnerability databases emphasize that this local primitive, chained with known post-exploitation techniques, yields total compromise.

CVSS Score and Impact

OpenCVE and other aggregators rate this vulnerability with a CVSS v3.1 base score of 8.8, categorized as HIGH. The full vector string is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C.

Key elements:
- Attack Vector: Local (AV:L) — the attacker must run code on the target system.
- Attack Complexity: Low (AC:L) — no special conditions required.
- Privileges Required: Low (PR:L) — a non-privileged user can exploit it.
- User Interaction: None (UI:N) — no tricking a user into acting.
- Scope: Changed (S:C) — the vulnerable component impacts resources beyond its security scope.
- Impact: High for confidentiality, integrity, and availability (C:H/I:H/A:H).

The scope change is particularly dangerous: it signifies that exploiting the StateRepository API can break out of its original security boundary, allowing a low-privilege process to inflict damage on the wider system. That raises the score and the urgency.

Affected Windows Versions and the July 2025 Patches

The CVE record shows a broad impact across Windows 10, Windows 11, and Windows Server. All supported versions up to the fix release are affected. The following table summarizes the build ranges and the required update.

Product Version range (affected) Fixed build (or later)
Windows 10 1809 / Server 2019 10.0.17763.0 – 10.0.17763.7557 10.0.17763.7558
Windows 10 21H2 / 22H2 10.0.19044.0 – 10.0.19044.6092 10.0.19044.6093
Windows 11 22H2 / 23H2 10.0.22621.0 – 10.0.22621.5623 10.0.22621.5624
Windows 11 23H2 (ARM) 10.0.22631.0 – 10.0.22631.5623 10.0.22631.5624
Windows 11 24H2 / Server 2025 10.0.26100.0 – 10.0.26100.4651 10.0.26100.4652
Windows Server 2022 10.0.20348.0 – 10.0.20348.3931 10.0.20348.3932
Windows Server 23H2 10.0.25398.0 – 10.0.25398.1731 10.0.25398.1732

The fix shipped as part of the July 8, 2025 cumulative updates. Key packages:
- KB5062552 for Windows 11 22H2/23H2 (build 22621.5624 and 22631.5624)
- KB5062554 for Windows 10 21H2/22H2 (build 19044.6093 and 19045.6093)
- KB5062557 for Windows Server 2019 (build 17763.7558)

Always verify the exact KB that matches your OS build using the Microsoft Update Catalog or your WSUS console. Some updates, notably KB5062557 for Windows Server 2019, carry known issues: Cluster Service instability when Cluster Shared Volumes (CSV) and BitLocker are in use. Microsoft’s release health notes warn that virtual machines on affected clusters may fail to start or lose connectivity until the underlying host is patched and rebooted. Test these updates in a pilot group before broad deployment, particularly on clustered servers.

Deployment Considerations and Potential Side Effects

Monthly cumulative updates are monolithic; installing the wrong package can lead to rollback headaches. Verify the OS build and edition (e.g., LTSC, LTSB) before applying. For enterprises using WSUS or ConfigMgr, ensure the update catalog has synchronized the new packages. Staged rollouts are strongly recommended:

  • Patch a representative set of endpoints — include different hardware, client and server SKUs, and critical applications.
  • For Windows Server 2019 clusters, deploy to a non-production test cluster first. Monitor CSV failover, BitLocker recovery operations, and VM mobility.
  • Keep rollback images or backup snapshots available. If a regression appears, uninstalling the cumulative update via elevated command line (wusa /uninstall /kb:5062557 for example) may be necessary, though Microsoft always recommends moving forward to a newer fix when available.

On the security side, the absence of a public proof-of-concept exploit for CVE-2025-49723 does not reduce urgency. Local privilege escalation primitives are often weaponized within hours of a patch release. Patch promptly.

Detection and Incident Response

Because the attack is local and file‑based, detection must focus on anomalous file modifications in StateRepository work paths and on privilege escalation chains. Recommended steps:

  • Monitor directories used by the StateRepository service. (If the exact paths are not documented, generate a baseline of normal file patterns in %ProgramData%, %Windir%\System32\config and subdirectories of %Windir%\ServiceState.)
  • Log process creation events (Event ID 4688) and file system changes (Sysmon Event ID 11/13, Windows Security Event 4663). Alert on non‑privileged processes writing to protected system state files.
  • Use EDR rules to detect common post‑exploitation techniques: scheduled task creation, service binary replacement, or DLL sideloading that follows an initial tamper.
  • Correlate user logon sessions with unexpected file operations. A low‑privilege account that suddenly writes to a system‑owned configuration store is a high‑fidelity indicator.

If you confirm exploitation, isolate the host from the network immediately. Capture volatile evidence (memory dump, running process list, prefetch) and persistent data (relevant registry hives, logs). Reimage from known‑good media because once a system‑level compromise occurs, remediation through cleaning is unreliable. Rotate all credentials and secrets that were ever present on the affected machine, especially service account tokens and any keys stored in or near the tampered artifacts.

The CVE Number Mismatch: CVE‑2025‑49723 vs CVE‑2025‑53789

Multiple independent sources confirm the canonical identifier for this StateRepository vulnerability is CVE‑2025‑49723. The CVE record was published on July 8, 2025, by Microsoft, and the MSRC advisory page references it directly. Vulnerability databases (OpenCVE, Rapid7, NVD) and the CISA ADP enrichment all list it under that ID.

However, some third‑party feeds and internal ticketing systems have surfaced the number CVE‑2025‑53789 in connection with the same advisory. The MSRC advisory page for CVE‑2025‑53789 may exist, but attempting to view it returns a generic or placeholder entry, strongly suggesting a reporting error. Administrators must not assume these are two distinct vulnerabilities; the descriptions, affected components, and patch packages coincide exactly with CVE‑2025‑49723.

Before pushing patches, reconcile any mismatches:
- Search your vulnerability management console for both IDs.
- If you find CVE‑2025‑53789 entries, check the description and KB mapping. If they match the StateRepository API missing authorization flaw, flag the record as a duplicate and overwrite with CVE‑2025‑49723.
- Verify against the official MSRC page (which requires JavaScript to render) and the NVD listing.
- Communicate the correction to your SOC and patching teams to avoid confusion during audits.

Why This Class of Vulnerability Demands Urgency

Missing authorization bugs in system state repositories are deceptively potent. The Windows StateRepository acts as a trusted intermediary between user‑mode applications and elevated system services. Developers assume that data written into the repository has passed some authorization check — the API name itself implies a role in maintaining system‑wide consistency. When that check is absent, a low‑privileged actor can inject arbitrary data into the trust chain.

The classic kill chain: a standard‑user process writes a malicious configuration record; a scheduled task or service runs hours later, parsing that record as input; the parsing operation triggers a design flaw that leads to code execution as SYSTEM. This pattern has been seen in previous Windows vulnerabilities, including the State Repository Service elevation‑of‑privilege bug tracked as CVE‑2022‑21863, which also involved a local tampering primitive. CVE‑2025‑49723 extends the lineage, and the missing authorization makes exploitation simpler because no race conditions or symbolic link tricks are needed.

Defenders who harden endpoints now — enforcing application allowlisting, restricting local account privileges, and segmenting networks — significantly raise the cost of exploitation even before the patch lands. But the ultimate control is deploying the July 2025 cumulative update.

Patching Checklist for IT Administrators

  1. Identify all affected assets using your asset management tool. Match the OS build to the vulnerable ranges in the table above.
  2. Map each asset to the correct KB package. For example, Windows 11 23H2 x64 requires KB5062552 (build 22631.5624).
  3. Pilot the update on a representative set of clients and servers, including clustered servers, for at least 24 hours. Monitor for the known CSV/BitLocker issue on Windows Server 2019.
  4. Deploy broadly using your standard change management process. Prioritize multi‑user servers, domain controllers, and any machine that allows non‑admin logons.
  5. Enforce compensating controls on unpatched hosts: restrict local logon rights, apply WDAC/AppLocker, and increase monitoring via Sysmon or Defender for Endpoint.
  6. Update SIEM detection rules to hunt for signs of local tampering and privilege escalation attempts.
  7. Remediate the CVE number mismatch in all vulnerability tracking systems before audit season.

Final Word

CVE‑2025‑49723 is a textbook case of an access‑control slip that hands a local attacker the keys to the kingdom. The fix is in the July 2025 Patch Tuesday updates, and the only acceptable response is a swift, verified rollout. While there is no exploit in the wild at the time of writing, the combination of low privilege requirement and no user interaction makes it a prime candidate for professional red teams and sophisticated adversaries alike.

For administrators confronting the CVE‑2025‑53789 ghost ID, resolving that confusion is part of the patching job: use the real ID, track the real patches, and lock down the real attack surface. The StateRepository API may be a quiet background worker, but in this case, it’s the loudest alarm in the environment.