Abstract

Over the past decades, Link-Following vulnerabilities have remained pervasive, despite continuous and active patching efforts by Microsoft and various vendors. In June 2025, Microsoft released an official mitigation advisory targeting this attack surface, which has only intensified the security community’s attention on it.

In this presentation, we reveal a full-chain local privilege escalation (LPE) exploitation path rooted in link-following vulnerabilities, culminating in the discovery of a long-overlooked zero-day in wersvc. This previously ignored component significantly broadens the Link-Following attack surface. Leveraging it, we identified dozens of high-impact LPE vulnerabilities, including several in core Windows services maintained by Microsoft. Our findings suggest this is only the tip of the iceberg.

We will walk through the complete exploitation chain, demonstrating how Link-Following bugs can be reliably abused in real-world scenarios to gain SYSTEM privileges. This includes case studies that showcase the depth and breadth of this class of vulnerabilities across the Windows ecosystem.

Additionally, we analyze mitigation strategies deployed in specific real-world cases and reveal how they can be bypassed in practice, highlighting the inherent challenges in fully remediating this class of vulnerabilities. Attendees will gain new perspectives on the attack surface, practical techniques to identify similar vulnerabilities, and insights into defending against them in modern Windows environments.

Bio

Bocheng Xiang (@crispr_x) is a PhD candidate at Fudan University. He is listed on the MSRC MVR 2024/2025 and ranked Top #20 on the MSRC 2024 Q3 Windows Leaderboard. He has published papers at USENIX Security 2025, and one topic has been accepted by Black Hat USA 2025.

HeeChan Kim (@heegong123) is enrolled at Soongsil University. He is ranked on the MSRC 2024 Q2 Windows Leaderboard, also a member of TeamH4C. He worked at THEORI of Korea, researching Windows Logic Bugs.