For readers who want the full technical analysis, the detailed research blog is available here.
A trusted Windows tool with an unexpected attack path
Eye Research uncovered a vulnerability in Microsoft’s Windows Update Health Tools that could have enabled remote code execution on Windows machines originating from almost ten thousand companies worldwide. The tool, shipped automatically through Windows Update, is designed to improve the reliability of updates. Yet an older version continued reaching out to Azure storage locations that were no longer owned or monitored by Microsoft.
Whoever controlled those abandoned locations could influence what the tool downloaded. Under the right circumstances, this created a path to run code on devices that trusted it implicitly.
Following the trail of an abandoned Azure endpoint
This research began as an investigation into forgotten cloud infrastructure. While monitoring DNS traffic, one Azure storage domain immediately stood out. When we registered it, global traffic began arriving within hours: structured requests from devices using a Microsoft-signed update service.
A predictable naming pattern revealed more abandoned endpoints. Over seven days, ten of these accounts received more than half a million requests from nearly ten thousand Azure tenants. Controlled testing confirmed that, under specific conditions, remote code execution was possible.
A simple calculator pop-up is the classic, safe way to prove RCE: the system executed a command it should never have trusted.
When a routine update check becomes a blind spot
A helpful way to picture the situation is to imagine a fleet of company vehicles arriving at the same warehouse every morning to pick up instructions. One day, the warehouse is no longer staffed, but the vehicles keep arriving. The doors remain open. The process still works, yet nobody is watching what gets left behind on the desk.
The older version of the tool behaved exactly like those vehicles, continuing to trust locations that had quietly changed hands.
Why this matters for any organisation running Windows
This case shows how vulnerabilities sometimes emerge not through active attacks but through legacy behaviour that outlives its original context. Even well-established tools from major vendors can contain hidden dependencies that create unexpected exposure at scale.
It also reinforces the importance of an assume-breach mindset. Systems evolve, infrastructure ages and blind spots appear in places no one thinks to check. Independent research helps surface those blind spots before they can be abused.
Closing the gap and protecting the ecosystem
We analysed the behaviour, confirmed the real-world impact and responsibly disclosed the issue to Microsoft. All affected storage accounts were transferred back to them immediately, removing the possibility of exploitation.
This discovery underscores the importance of examining overlooked components and the subtle ways risk can accumulate in widely deployed software.
About Eye Research
Eye Research is a dedicated group of security specialists with deep experience in both offensive and defensive operations, including backgrounds in Dutch national intelligence services such as the AIVD and MIVD. Their work focuses on uncovering real-world threats and hidden weaknesses to help make the digital ecosystem safer for everyone. More of their work can be found on the Eye Research website.
