Micropatches released for Arbitrary Registry Key Delete As Local System With Consolidator Scheduled Task (CVE-2025-59512)

 

November 2025 Windows Updates brought a patch for CVE-2025-59512, a local privilege escalation vulnerability in Customer Experience Improvement Program, allowing a low-privileged Windows user to delete arbitrary registry key as Local System - which can be used for running privileged code at a later time.

The vulnerability was found and reported to Microsoft by security researcher Tianlin Zhang. Security researcher Clément Labro subsequently reverse-engineered Microsoft's patch for another vulnerability but also detailed this arbitrary registry key delete issue in their article, which allowed us to reproduce and patch this issue for our users.

 

The Vulnerability 

The vulnerability is in the way the "Consolidator" scheduled task, part of the Customer Experience Improvement Program on Windows, deletes all registry subkeys under in one of its own registry keys when started. Due to improper permissions on said key, any local user can specify a further subkey that is a symbolic link to another key anywhere else in the registry and run the scheduled task. This results in the key linked to by the symbolic link getting deleted.

Deleting an arbitrary registry key can result in all kinds of things including disabling security features or exploiting some other vulnerability. 

 

Microsoft's Patch

Microsoft's patch eliminated the entire functionality of deleting registry subkeys from the "Consolidator" scheduled task.

 

Our Patch

Our patch is logically identical to Microsoft's. 

Let's see our patch in action. First, a low-privileged user creates a registry symbolic link pointing to a registry key test under HKLM\SOFTWARE and runs the "Consolidator" scheduled task while 0patch Agent is disabled. This results in HKLM\SOFTWARE\test getting deleted. Doing the same with 0patch Agent enabled does not result in the deletion of HKLM\SOFTWARE\test.

 

 

Micropatch Availability

Micropatches were written for the following security-adopted Windows versions:

1. Windows 11 v22H2 - fully updated
2. Windows 11 v21H2 - fully updated
3. Windows 10 v22H2 - fully updated
4. Windows 10 v21H1 - fully updated
5. Windows 10 v20H2 - fully updated
6. Windows 10 v2004 - fully updated
7. Windows 10 v1909 - fully updated
8. Windows 10 v1809 - fully updated
9. Windows 10 v1803 - fully updated
10. Windows 7 - fully updated with no ESU, ESU 1, ESU 2 or ESU 3
11. Windows Server 2008 R2 - fully updated with no ESU, ESU 1, ESU 2, ESU 3 or ESU 4
12. Windows Server 2012 - fully updated with no ESU or ESU 1
13. Windows Server 2012 R2 - fully updated with no ESU or ESU 1 

Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that).

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things. 

We'd like to thank Tianlin Zhang for discovering this vulnerability and Clément Labro for publishing their analysis, both of which allowed us to create a patch and protect 0patch users against this issue.

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

Did you know 0patch security-adopted Windows 10 and Office 2016 and 2019 when they went out of support this month, allowing you to keep using them for at least 3 more years (5 years for Windows 10)? Read more about it here and here. 

To learn more about 0patch, please visit our Help Center.