BURSTA proof-of-concept exploit published for CVE-2025-21420, a newly discovered elevation of privilege vulnerability affecting the Windows Disk Cleanup Tool (cleanmgr.exe).
The vulnerability allows attackers to escalate privileges to SYSTEM level by exploiting improper link resolution mechanisms within the SilentCleanup scheduled task, which runs with elevated privileges on Windows systems.
Windows Disk Cleanup Vulnerability
The vulnerability stems from a CWE-59: Improper Link Resolution Before File Access flaw in the Windows Disk Cleanup utility.
Analysis of the latest cleanmgr.exe binary reveals that Microsoft has implemented SetProcessMitigationPolicy function calls with MitigationPolicy set to 16, corresponding to ProcessRedirectionTrustPolicy.
This indicates that the application now includes Redirection Guard protections, suggesting Microsoft was aware of potential link-following attacks against this component.
Despite these protections, researchers discovered that the SilentCleanup scheduled task, which executes cleanmgr.exe with “Run with highest privileges” enabled, remains vulnerable to sophisticated redirection attacks.
The vulnerability specifically targets the cleanup process’s handling of temporary folders, particularly those located in C:$Windows.~WS, C:\ESD\Windows, and C:\ESD\Download directories.
Process monitoring tools reveal that the cleanup utility checks for the existence of these folders and proceeds to delete their contents without properly validating symbolic links or junction points.
Exploitation Methodology
Security researcher Moiz-2x published a proof-of-concept exploit that demonstrates a multi-stage attack chain that leverages arbitrary folder delete/move/rename operations to achieve SYSTEM privilege escalation.
The attack methodology involves creating specific directory structures that the SilentCleanup task will process during its routine execution.
The exploit script creates three target folders: C:$Windows.~WS, C:\ESD\Windows, and C:\ESD\Download, populating them with dummy text files.
The critical component of the attack utilizes two sophisticated techniques: FolderOrFileDeleteToSystem and FolderContentsDeleteToFolderDelete.
These methods redirect the cleanup operation from the intended C:\ESD\Windows directory to the sensitive C:/Config.msi folder, which contains critical Windows Installer cache files.
The attack sequence requires precise timing and coordination. Attackers must first establish the malicious directory structure, configure the redirection mechanisms, and then trigger the SilentCleanup task.
Upon successful execution, the vulnerability allows attackers to delete protected system files, ultimately leading to SYSTEM-level access through techniques like replacing system utilities such as osk.exe (On-Screen Keyboard).
Mitigation
This vulnerability represents a significant security concern as it affects a core Windows component that runs with elevated privileges by design.
SilentCleanup task is integral to Windows maintenance operations and cannot simply be disabled without affecting system performance and storage management.
Organizations should immediately assess their exposure to this vulnerability and implement appropriate defensive measures.
The researchers note that modern antivirus solutions, including Windows Defender, may detect this exploitation technique, requiring attackers to exclude certain processes from real-time protection. This provides an additional layer of detection for security monitoring tools.
Microsoft is expected to address this vulnerability in upcoming security updates. System administrators should prioritize applying patches once available and consider implementing additional monitoring for unusual SilentCleanup task behavior.
Automate threat response with ANY.RUN’s TI Feeds—Enrich alerts and block malicious IPs across all endpoints -> Request full access
The post PoC Exploit Released for Windows Disk Cleanup Tool Elevation of Privilege Vulnerability appeared first on Cyber Security News.