Micropatches Released for Windows Disk Cleanup Tool Elevation of Privilege Vulnerability (CVE-2025-21420)

  February 2025 Windows Updates brought a patch for CVE-2025-21420, a local privilege elevation vulnerability allowing a local attacker to execute malicious code in another user’s existing session using said user’s identity. Microsoft’s advisory does not reveal who reported this vulnerability to Microsoft (or whether they had discovered it internally). The Vulnerability Security researcher moiz reverse engineered Microsoft’s patch for cleanmgr.exe in February’s Windows updates and found that Microsoft had added the ProcessRedirectionTrustPolicy mitigation (a.k.a. Redirection Guard) to the process, which causes the process to ignore symbolic links created by low-privileged users. Based on this information, moiz monitored the behavior of the Disk Cleanup tool when launched and found that it was vulnerable to symbolic link redirection. Placing a symbolic link from a certain file that a low-privileged user can create, to another file that can only be deleted by a high-privileged user, can result in deletion of the latter file when Disk Cleanup’s scheduled task is launched. Moiz gracefully shared their analysis and POC.Arbitrary file deletion can be
turned into arbitrary code execution as Local System, as was first
shown by Jonas Lykkegård in 2020 using Windows Error Reporting Service, and subsequently also by Abdelhamid Naceri using Windows Installer.So the low-privileged user just prepares the right files, sets symbolic links, and starts the scheduled task? Hmm, strange, because Disk Cleanup scheduled task is set to run as “Users”, not some privileged account like “Local System”. One would expect it to be launched with attacker’s own identity, which would not result in file deletion due to permissions on the target file. And the fact that the task is set to “Run with highest privileges” doesn’t help either because that would only ensure that if a non-elevated admin were to launch it, it would run as elevated admin – but the attacker cannot be elevated.So why does the attack work at all?It turns out that – cue raised eyebrows – that launching the Disk Cleanup scheduled task as any logged-in user not only gets it launched in said user’s session – but rather in all existing sessions on the computer, and just as if those other users had launched it themselves! This means that if an administrator is logged in to the computer, and then the attacker connects to it via remote desktop, the attacker will be able to launch Disk Cleanup scheduled task in administrator’s session. In that session, vulnerable cleanmgr.exe would be executed, auto-elevated, and would follow attacker’s symbolic links to eventually delete the system file attacker wanted to delete.Needless to say, such attack is even easier to imagine on a Windows Server with terminal services where users are meant to login at the same time. Microsoft’s PatchAs moiz had noticed, Microsoft added the ProcessRedirectionTrustPolicy mitigation to cleanmgr.exe to prevent it from following low-privileged users’ symbolic links.  Our PatchWhile we could do the same as Microsoft, Redirection Guard is not available on all affected security-adopted Windows versions, so we wrote a patch that checks the path of the to-be-deleted file and determines if it is a symbolic link. If it isn’t, the patch allows the file to be deleted, otherwise it blocks the deletion. This approach is more rigorous that Microsoft’s (with their patch, administrator’s symlinks would be accepted) but we believe that there aren’t any valid scenarios where administrator’s links would be used in this context – and Microsoft just took the easy road by adding the mitigation to the process. (Which was the smart thing to do for them.) Micropatch AvailabilityMicropatches were written for the following security-adopted Windows versions:Windows 11 v21H2 – fully updatedWindows 10 v21H2 – fully updatedWindows 10 v21H1 – fully updatedWindows 10 v20H2 – fully updatedWindows 10 v2004 – fully updatedWindows 10 v1909 – fully updatedWindows 10 v1809 – fully updatedWindows 10 v1803 – fully updatedNote that Windows 7, Server 2008 R2, Server 2012 and Server 2012 R2 are not affected by this issue.Micropatches have already been distributed to, and applied on, all
affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that). Vulnerabilities like these get discovered on a regular basis, and
attackers know about them all. If you’re using Windows that aren’t
receiving official security updates anymore, 0patch will make sure these
vulnerabilities won’t be exploited on your computers – and you won’t
even have to know or care about these things. If you’re new to 0patch, create a free account
in 0patch Central,
start a free trial, then install and register 0patch Agent. Everything
else will happen automatically. No computer reboot will be needed.We’d like to thank moiz for sharing their finding and their POC, which allowed us to reproduce the issue and create patches for our users.Did
you know 0patch will security-adopt Windows 10 when it goes out of
support in October 2025, allowing you to keep using it for at least 5
more years? Read more about it here.
To learn more about 0patch, please visit our Help Center.0patch BlogRead More