Thursday, July 24, 2025

Micropatches Released for Windows Disk Cleanup Tool Elevation of Privilege Vulnerability (CVE-2025-21420)

 

 

February 2025 Windows Updates brought a patch for CVE-2025-21420, a local privilege elevation vulnerability allowing a local attacker to execute malicious code in another user's existing session using said user's identity. Microsoft's advisory does not reveal who reported this vulnerability to Microsoft (or whether they had discovered it internally).

 

The Vulnerability 

Security researcher moiz reverse engineered Microsoft's patch for cleanmgr.exe in February's Windows updates and found that Microsoft had added the ProcessRedirectionTrustPolicy mitigation (a.k.a. Redirection Guard) to the process, which causes the process to ignore symbolic links created by low-privileged users. Based on this information, moiz monitored the behavior of the Disk Cleanup tool when launched and found that it was vulnerable to symbolic link redirection. Placing a symbolic link from a certain file that a low-privileged user can create, to another file that can only be deleted by a high-privileged user, can result in deletion of the latter file when Disk Cleanup's scheduled task is launched. Moiz gracefully shared their analysis and POC.

Arbitrary file deletion can be turned into arbitrary code execution as Local System, as was first shown by Jonas Lykkegård in 2020 using Windows Error Reporting Service, and subsequently also by Abdelhamid Naceri using Windows Installer.

So the low-privileged user just prepares the right files, sets symbolic links, and starts the scheduled task? Hmm, strange, because Disk Cleanup scheduled task is set to run as "Users", not some privileged account like "Local System". One would expect it to be launched with attacker's own identity, which would not result in file deletion due to permissions on the target file. And the fact that the task is set to "Run with highest privileges" doesn't help either because that would only ensure that if a non-elevated admin were to launch it, it would run as elevated admin - but the attacker cannot be elevated.

So why does the attack work at all?

It turns out that - cue raised eyebrows - that launching the Disk Cleanup scheduled task as any logged-in user not only gets it launched in said user's session - but rather in all existing sessions on the computer, and just as if those other users had launched it themselves! This means that if an administrator is logged in to the computer, and then the attacker connects to it via remote desktop, the attacker will be able to launch Disk Cleanup scheduled task in administrator's session. In that session, vulnerable cleanmgr.exe would be executed, auto-elevated, and would follow attacker's symbolic links to eventually delete the system file attacker wanted to delete.

Needless to say, such attack is even easier to imagine on a Windows Server with terminal services where users are meant to login at the same time.

 

Microsoft's Patch

As moiz had noticed, Microsoft added the ProcessRedirectionTrustPolicy mitigation to cleanmgr.exe to prevent it from following low-privileged users' symbolic links. 

 

Our Patch

While we could do the same as Microsoft, Redirection Guard is not available on all affected security-adopted Windows versions, so we wrote a patch that checks the path of the to-be-deleted file and determines if it is a symbolic link. If it isn't, the patch allows the file to be deleted, otherwise it blocks the deletion. This approach is more rigorous that Microsoft's (with their patch, administrator's symlinks would be accepted) but we believe that there aren't any valid scenarios where administrator's links would be used in this context - and Microsoft just took the easy road by adding the mitigation to the process. (Which was the smart thing to do for them.)

 

Micropatch Availability

Micropatches were written for the following security-adopted Windows versions:

  1. Windows 11 v21H2 - fully updated
  2. Windows 10 v21H2 - fully updated
  3. Windows 10 v21H1 - fully updated
  4. Windows 10 v20H2 - fully updated
  5. Windows 10 v2004 - fully updated
  6. Windows 10 v1909 - fully updated
  7. Windows 10 v1809 - fully updated
  8. Windows 10 v1803 - fully updated

Note that Windows 7, Server 2008 R2, Server 2012 and Server 2012 R2 are not affected by this issue.

Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that).

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

We'd like to thank moiz for sharing their finding and their POC, which allowed us to reproduce the issue and create patches for our users.

Did you know 0patch will security-adopt Windows 10 when it goes out of support in October 2025, allowing you to keep using it for at least 5 more years? Read more about it here.

To learn more about 0patch, please visit our Help Center.





Thursday, July 10, 2025

Micropatches Released for "WSPCoerce" Coerced Authentication via Windows Search Protocol (NO CVE/WONTFIX)

 

 

Coerced authentication is any method that allows an attacker to force a target system to authenticate against attacker's computer and reveal its credentials in the process. The most useful form of coerced authentication on Windows is arguably one that forces a remote Windows computer to send its machine (system) account's NTLM credentials to attacker, which can then be relayed to another computer.

Microsoft does not consider "coerced authentication" methods vulnerabilities worth fixing and rather suggests several options for mitigating attacks, including disabling NTLM. For various, mostly legacy-related reasons, many large organizations can't implement these options.

That is why we at 0patch have decided to provide our own patches for known coerced authentication issues so that both legacy Windows systems like Windows 7 and Server 2008 R2 and the latest Windows 11 and Server 2025 that are using NTLM get to be properly protected. So far we have been providing (and dutifully porting to new versions of executable files) patches for these coerced authentication issues:

  1. PetitPotam
  2. PrinterBug/SpoolSample and
  3. DFSCoerce.

We are now adding a fourth coerced authentication issue to the list: "WSPCoerce". WSPCoerce was discovered by Simon Lemire who also published a WSPCoerce proof-of-concept tool. The tool sends a request to the Windows Search Service running by default on any Windows workstation (but not on servers), causing it to read a shared folder on attacker's computer - revealing machine account's NTLM credentials in the process.

Our patch adds a security check to the processing of affected search requests such that a remote machine can only request a search of a shared folder on the same remote machine (the target machine), and not on some other machine in the network. This preserves search and indexing functionality, but prevents coerced authentication.

 

Micropatch Availability

Micropatches were written for:

 Legacy Windows versions:

  1. Windows 11 v21H2 - fully updated
  2. Windows 10 v21H2 - fully updated
  3. Windows 10 v21H1 - fully updated
  4. Windows 10 v20H2 - fully updated
  5. Windows 10 v2004 - fully updated
  6. Windows 10 v1909 - fully updated
  7. Windows 10 v1809 - fully updated
  8. Windows 10 v1803 - fully updated
  9. Windows 7 - fully updated without ESU, with ESU 1, ESU 2 or ESU 3
  10. Windows Server 2012 - fully updated without ESU or with ESU 1
  11. Windows Server 2012 R2 - fully updated without ESU or with ESU 1
  12. Windows Server 2008 R2 - fully updated without ESU, with ESU 1, ESU 2, ESU 3 or ESU 4

 Windows versions still receiving Windows Updates:

  1. Windows 11 v24H2 - fully updated   
  2. Windows 11 v23H2 - fully updated
  3. Windows 11 v22H2 - fully updated
  4. Windows 10 v22H2 - fully updated
  5. Windows Server 2025 - fully updated
  6. Windows Server 2022 - fully updated
  7. Windows Server 2019 - fully updated 
  8. Windows Server 2016 - fully updated 
  9. Windows Server 2012 fully updated with ESU 2
  10. Windows Server 2012 R2 fully updated with ESU 2

 

Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that).

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

We'd like to thank Simon Lemire for sharing their finding and their tool, which allowed us to reproduce the issue and create patches for our users.

Did you know 0patch will security-adopt Windows 10 when it goes out of support in October 2025, allowing you to keep using it for at least 5 more years? Read more about it here.

To learn more about 0patch, please visit our Help Center.