The 250-Day Risk Window: How an AI PDF Editor Vulnerability Demonstrates the Public Directory Blind Spot

In September 2025, security researchers disclosed a critical vulnerability (CVE-2025-10215) in UPDF, a popular AI-powered PDF editor. The flaw was devastatingly simple: an attacker could drop a malicious DLL into C:\Users\Public\AppData\Local\UPDF\FREngine\Bin64\ and the application would execute it without question.^1,2

The vulnerability had been exploitable for over 250 days from the software’s December 2024 release until its September disclosure. But here’s the real problem: this wasn’t a sophisticated zero-day or advanced persistent threat. It was a textbook example of attackers exploiting one of cybersecurity’s most overlooked blind spots. This type of DLL hijacking vulnerability represents exactly the kind of risk that runtime visibility into software execution can identify.

UPDF isn’t unique and represents the kind of unapproved software that users often install on corporate systems. Public directories like C:\Users\Public have become a highway system for both legitimate software and malicious actors by being world-readable, world-writable, and largely unmonitored. While security teams focus on detecting advanced TTPs, attackers are quietly establishing persistence in plain sight.

The Public Directory Problem: Convenience Meets Catastrophe

Windows includes a public profile that allows applications to store files and settings accessible to every user on the system. For software vendors, it’s the path of least resistance: a single installation, available to all users, with minimal configuration overhead.

For attackers, it’s even more attractive. With minimal effort, malware can drop into this directory and count on being executed regardless of which user logs in. The same convenience that makes it appealing to legitimate software makes it irresistible to threat actors.

Why Security Teams Miss This Attack Vector

In the absence of a well-defined baseline, many security teams deprioritize monitoring public directories because of how noisy they can be. The constant legitimate activity creates a signal-to-noise problem that most traditional security tools struggle to solve.

Attackers exploit this blind spot routinely for the following reasons:

• Privilege Escalation: Files written as a normal user can later execute under SYSTEM or elevated accounts
• Ease of Access: Everyone has permission to write and read
• Persistence: Files here load regardless of the user, giving attackers long-term footholds

Bypassing Security Controls

Public directories create exploitable gaps in common security defenses that attackers routinely leverage.

Code Injection Techniques

Threat actors place malicious executables or DLLs in public directories, then inject code from these files into trusted processes already contained within EDR exclusion paths. This technique reduces the likelihood of detection, makes forensic analysis more challenging, and enables persistent compromise by inheriting the trust level of the target process.

Controlled Folder Access Limitations

Even in mature environments with Controlled Folder Access deployed, public directories often remain unprotected because they’re not included in default protection lists. Adding them requires extensive tuning to prevent legitimate application breakage. Organizations often skip this effort due to the lack of comprehensive baselines for legitimate public directory usage.

EDR Evasion

Traditional endpoint detection tools struggle with public directory monitoring due to high volumes of legitimate activity. Attackers exploit this by timing malicious activities with normal operations, using file names that mimic legitimate software patterns, and leveraging constant legitimate file operations to mask malicious behavior.

Attack Patterns That Leverage Public Directories

Recent malware campaigns demonstrate how attackers systematically abuse these locations:

In a recent Remcos campaign³, the HTA downloaded “…multiple payloads into C:\Users\Public\ directory.” These payload drops and their subsequent execution represent the type of activity that runtime vulnerability detection can surface.

A PlugX campaign⁴ placed “copies of the malicious files in multiple locations in the compromised system, specifically: C:\Users\Public\Public Mediae…” Traditional tools may miss this because the activity can appear similar to normal file operations.

A Runtime Approach to Vulnerability Detection

This type of challenge is where a runtime security approach proves valuable by shifting the focus left from attack detection to vulnerability detection in real-time. Unlike traditional security tools that rely on signatures, behavioral patterns, or point-in-time analysis, runtime visibility focuses on providing a continuous, real-time inventory of what’s executing across the environment.

Runtime vulnerability detection addresses this problem by providing:

• A real-time inventory of potentially exploitable applications using public directories
• Continuous behavior baselines of software that identify when legitimate applications change to become vulnerable
• Early detection of anomalies, including exploitation attempts, even in noisy environments

In situations like the UPDF case, this type of detection can provide earlier visibility into suspicious activity in public directories, rather than waiting for vendor vulnerability disclosures.

Spektion has identified the “Application Launched from Public User Profile” risk in the following categories of software:

• Remote Access
• Learning and Development
• OEM System Utilities executing with elevated privilege
• Developer Tools
• Web Browsers

Detection and Remediation—Hunting Example

Spektion users have access to a real-time inventory of all running processes that utilize the C:\Users\Public directory within their environment. This makes it easier to build the initial baseline of tools across your estate that require a closer look and efficiently tune Controlled Folder Access and EDR exclusions. Doing this using standard methodologies would generally only provide analysts with point-in-time data, or only responses from live endpoints—either creating a false baseline OR a manual effort that consumes valuable headcount cycles.

Using an example KQL query (below), a hunt team could use the known binary file names to create a hash table baseline and, if desired, monitor for executions or file creations within this directory that vary.

let known-public-binaries = dynamic (

[

“binary1.exe”,”binary2.exe”,”binary3.exe”,etc

]

);

DeviceProcessEvents

| where FolderPath starts with “c:\users\public” and FileName in (known-public-binaries)

| distinct Filename,SHA1

Conclusion: Addressing the Monitoring Challenge

The UPDF case proves that organizations can’t afford prolonged exposure windows while waiting for vendor vulnerability disclosures. Public directories will continue to be used by both legitimate software vendors and attackers, but the key differentiator is actionable visibility—knowing what is executing from these locations so you can secure that software before threats exploit it.

Runtime vulnerability detection provides the proactive visibility needed to identify these risks immediately rather than months later. For organizations serious about reducing blind spots in their security monitoring and gaining actionable intelligence about their actual risk exposure, runtime approaches represent a critical capability gap that needs addressing.

The question isn’t whether attackers will continue exploiting public directories, because they will. The question is whether your organization is equipped with the insights to detect them before they succeed.

Ready to close this visibility gap? See how Spektion’s runtime vulnerability management platform identifies public directory risks across your environment. Schedule a demo to eliminate massive exposure windows from your security program.

References:

1 CVE-2025-10215: DLL search path hijacking vulnerability in the UPDF.exe executable for Windows

2 https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-updf

3 Fileless Execution: PowerShell Based Shellcode Loader Executes Remcos RAT | Qualys

4 Investigating the PlugX Trojan Disguised as a Legitimate Windows Debugger Tool | Trend Micro (US)