CVE-2025-21420

Q: What is the severity of CVE-2025-21420?

CVE-2025-21420 has a CVSS score of 7.8 (HIGH). This vulnerability allows an authenticated attacker to exploit the Windows Disk Cleanup Tool to gain SYSTEM-level privileges on affected systems. It affects Windows systems where the Disk Cleanup Tool is present and accessible. Attackers need local access to the system to exploit this privilege escalation flaw.

7.8 HIGH

📋 TL;DR

This vulnerability allows an authenticated attacker to exploit the Windows Disk Cleanup Tool to gain SYSTEM-level privileges on affected systems. It affects Windows systems where the Disk Cleanup Tool is present and accessible. Attackers need local access to the system to exploit this privilege escalation flaw.

💻 Affected Systems

Products:

Windows Disk Cleanup Tool

Versions: Specific Windows versions as listed in Microsoft advisory

Operating Systems: Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022

Default Config Vulnerable: ⚠️ Yes

Notes: Requires attacker to have local access and ability to execute code with standard user privileges.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with local access gains full SYSTEM privileges, enabling complete system compromise, data theft, malware persistence, and lateral movement across the network.

🟠

Likely Case

Privileged attackers or malware with initial foothold escalate to SYSTEM to bypass security controls, install backdoors, or access protected resources.

🟢

If Mitigated

With proper access controls and monitoring, exploitation attempts are detected and contained before significant damage occurs.

🌐 Internet-Facing: LOW - Requires local access; not directly exploitable over internet.

🏢 Internal Only: HIGH - Local attackers or compromised accounts can exploit this for privilege escalation within the network.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local authenticated access and specific conditions to trigger the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Microsoft Security Update Guide for specific KB numbers

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21420

Restart Required: No

Instructions:

1. Open Windows Update Settings. 2. Check for updates. 3. Install all available security updates. 4. Verify installation via Windows Update history.

🔧 Temporary Workarounds

Restrict Disk Cleanup Tool Access

all

Limit execution of cleanmgr.exe to authorized users only via Group Policy or file permissions

icacls %windir%\system32\cleanmgr.exe /deny Users:(RX)

🧯 If You Can't Patch

Implement strict least privilege access controls to limit local user privileges
Monitor for suspicious Disk Cleanup Tool executions and privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check Windows version and installed updates against Microsoft advisory

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify security update KB number is installed via Windows Update history

📡 Detection & Monitoring

Log Indicators:

Unexpected cleanmgr.exe executions
Privilege escalation events in security logs
Suspicious process creation from Disk Cleanup

Network Indicators:

None - local exploitation only

SIEM Query:

Process Creation where Image contains 'cleanmgr.exe' and Parent Process not in expected list

📊 Metadata

CVE ID: CVE-2025-21420

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-59

EPSS Score: 23.5% exploit probability (95.8th percentile)

Published: February 11, 2025

Last Updated: February 14, 2025

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21420 Patch,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1507 by Microsoft

Windows 10 1507 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows 11 24h2 by Microsoft

Windows Server 2012 by Microsoft