CVE-2025-0651
📋 TL;DR
A privilege escalation vulnerability in Cloudflare WARP for Windows allows low-privileged users to create symbolic links that cause the WARP service (running as SYSTEM) to delete arbitrary files when the 'Reset all settings' option is triggered. This affects Windows systems running Cloudflare WARP versions before 2024.12.492.0.
💻 Affected Systems
- Cloudflare WARP
📦 What is this software?
Warp by Cloudflare
⚠️ Risk & Real-World Impact
Worst Case
SYSTEM-level file deletion could disrupt critical system files, potentially causing system instability, service disruption, or complete system compromise if critical configuration files are deleted.
Likely Case
Local attackers could delete user files, application data, or configuration files, leading to data loss, application failures, or limited denial of service.
If Mitigated
With proper user privilege separation and monitoring, impact is limited to non-critical file deletion within controlled environments.
🎯 Exploit Status
Requires local access, low privileges, and user interaction with the WARP client interface. Symbolic link creation requires specific directory access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024.12.492.0 and later
Vendor Advisory: https://developers.cloudflare.com/warp-client/
Restart Required: No
Instructions:
1. Open Cloudflare WARP client. 2. Check for updates in settings. 3. Install update to version 2024.12.492.0 or later. 4. Verify update completed successfully.
🔧 Temporary Workarounds
Restrict directory permissions
WindowsModify permissions on the vulnerable directory to prevent low-privileged users from creating symbolic links.
icacls "C:\ProgramData\Cloudflare\warp-diag-partials" /inheritance:r
icacls "C:\ProgramData\Cloudflare\warp-diag-partials" /grant SYSTEM:F
icacls "C:\ProgramData\Cloudflare\warp-diag-partials" /grant "Administrators":F
🧯 If You Can't Patch
- Disable or uninstall Cloudflare WARP if not required for business operations.
- Implement strict user privilege management to limit who can access the system locally.
🔍 How to Verify
Check if Vulnerable:
Check WARP version in client settings or via 'warp-cli --version' command. If version is below 2024.12.492.0, system is vulnerable.Check Version:
warp-cli --versionVerify Fix Applied:
Confirm WARP version is 2024.12.492.0 or higher. Verify directory permissions restrict low-privileged users from creating files in C:\ProgramData\Cloudflare\warp-diag-partials.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing file deletion events from SYSTEM account
- Application logs showing WARP service performing unexpected file operations
Network Indicators:
- No network indicators - this is a local privilege escalation vulnerability
SIEM Query:
EventID=4663 OR EventID=4656 AND ObjectName LIKE '%warp-diag-partials%' AND SubjectUserName='SYSTEM'