Microsoft's Update Health Tools (KB4023057), intended to streamline security updates, inadvertently created a remote code execution (RCE) vulnerability. Researchers at Eye Security found that abandoned Azure blob storage accounts allowed attackers to execute arbitrary code on vulnerable Windows devices. They identified how the Update Health Service, uhssvc.exe, interacts with these blobs and discovered a predictable naming pattern for the storage accounts. Out of 15 potential accounts, 10 were still unregistered, leading them to claim ownership and monitor incoming requests. Through their analysis, the researchers reverse-engineered the Update Health Tools' original version and noted its reliance on Azure storage to check for updates. They found that the service checks the enrollment status of a tenant and determines actions based on JSON files. While exploring the RCE potential in v1.0, they faced challenges when Microsoft replaced it with v1.1, which shifted to a more secure web service model. However, they managed to enable the old blob storage communication in the newer version, allowing them to successfully execute code. During testing, they crafted a JSON payload that prompted the execution of a calculator application, demonstrating the exploit's viability. Over a week, they recorded over 544,000 requests from nearly 10,000 unique Azure tenants. Despite the vast Windows install base, only a small fraction of machines were running the vulnerable version or had backward compatibility enabled. They reported the vulnerability to Microsoft in July 2025, leading to the secure transfer of the storage accounts to the company, mitigating the risk. The researchers highlighted the need for secure design principles to prevent similar vulnerabilities in the future.