PoC Exploit Unveiled for Home windows Disk Cleanup Elevation Vulnerability

Microsoft addressed a high-severity elevation of privilege vulnerability (CVE-2025-21420) in its Home windows Disk Cleanup Utility (cleanmgr.exe) throughout February 2025’s Patch Tuesday.

The flaw, scoring 7.8 on the CVSS scale, enabled attackers to execute malicious code with SYSTEM privileges by DLL sideloading and a listing traversal approach.

The vulnerability stems from cleanmgr.exe’s failure to validate DLL loading paths and mitigate symbolic hyperlink assaults.

Key elements embody:

1. Exploitation Mechanism

• DLL Sideloading: Attackers plant malicious libraries (e.g., dokannp1.dll) in writable system directories. bashcp .dokan1.dll C:CustomersSystem32System32System32dokannp1.dll cleanmgr /sageset:2 This command chain exploits path interception vulnerabilities to load unsigned DLLs.
• SilentCleanup Activity Hijacking: The Home windows Activity Scheduler’s SilentCleanup process (working as SYSTEM) deletes folder contents with out correct symlink checks. Attackers abuse this by way of: python# Exploit script construction os.makedirs(r'C:$Home windows.~WS') os.makedirs(r'C:ESDWindows') open(r'C:ESDWindowsdummy.txt', 'w').shut() By redirecting folder deletions to C:Config.Msi, attackers set off arbitrary file operations.

2. Vulnerability Chain

Proof-of-Idea (PoC) Workflow

Safety researchers demonstrated exploitation utilizing a multi-stage course of:

1. Folder Setup: Create nested directories (C:ESDWindows) with dummy information to set off SilentCleanup’s deletion routine.
2. Junction Redirection: Use FolderContentsDeleteToFolderDelete to transform C:ESDWindows right into a junction pointing to C:Config.Msi.
3. Privilege Escalation: Execute osk.exe post-cleanup to spawn a SYSTEM shell by way of the compromised Config.Msi listing.

python# Pattern exploit script (abridged)
import os, time
os.makedirs(r'C:$Home windows.~WS', exist_ok=True)
os.makedirs(r'C:ESDWindows', exist_ok=True)
with open(r'C:ESDWindowsdummy.txt', 'w') as f: f.write('set off')
enter("Press Enter after organising junctions...")
os.startfile(r'C:WindowsSystem32cleanmgr.exe')

Mitigation and Patch Deployment

Microsoft’s February 2025 replace resolves the flaw by:

• Redirection Guard: Blocks symlink assaults by way of PROCESS_MITIGATION_REDIRECTION_TRUST_POLICY.
• DLL Signature Enforcement: cleanmgr.exe now validates digital signatures earlier than loading libraries.

Really useful Actions:

• Apply KB5025321 by way of Home windows Replace/WSUS instantly.
• Audit system directories for unauthorized DLLs (e.g., dokannp1.dll).
• Monitor cleanmgr.exe executions in non-standard contexts.

This patch is a part of a broader replace fixing 67 vulnerabilities, together with actively exploited zero-days in Home windows Ancillary Perform Driver (CVE-2025-21418) and NTLM (CVE-2025-21377).

Organizations ought to prioritize patch deployment given the exploit’s low complexity and excessive impression.

Discover this Information Attention-grabbing! Observe us on Google Information, LinkedIn, & X to Get Instantaneous Updates