CVE-2025-32780
📋 TL;DR
BleachBit for Windows up to version 4.6.2 is vulnerable to DLL hijacking, allowing attackers to execute arbitrary code by placing a malicious uuid.dll in a specific directory. This affects Windows users running vulnerable versions of BleachBit, potentially compromising their systems when the application launches.
💻 Affected Systems
- BleachBit
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining the same privileges as the user running BleachBit, potentially leading to data theft, ransomware deployment, or persistent backdoor installation.
Likely Case
Local privilege escalation leading to user account compromise, data exfiltration, or malware installation on the affected system.
If Mitigated
Limited impact if proper application whitelisting, DLL search path hardening, or user privilege restrictions are in place.
🎯 Exploit Status
Exploitation requires local file system access to place the malicious DLL and user to run BleachBit. No authentication bypass needed once DLL is placed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.9.0
Vendor Advisory: https://github.com/bleachbit/bleachbit/security/advisories/GHSA-ghph-v4x4-vr3c
Restart Required: No
Instructions:
1. Download BleachBit 4.9.0 or later from official sources. 2. Uninstall previous version. 3. Install new version. 4. Verify version is 4.9.0 or higher.
🔧 Temporary Workarounds
Restrict DLL search path
windowsUse Windows policies to restrict DLL search order and prevent loading from user directories
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager' -Name 'SafeDllSearchMode' -Value 1
Remove vulnerable directory permissions
windowsRestrict write permissions to the WindowsApps directory for standard users
icacls "C:\Users\%USERNAME%\AppData\Local\Microsoft\WindowsApps" /deny %USERNAME%:(OI)(CI)W
🧯 If You Can't Patch
- Monitor for suspicious DLL files in C:\Users\*\AppData\Local\Microsoft\WindowsApps\ directory
- Implement application control policies to restrict execution of BleachBit or validate DLL integrity
🔍 How to Verify
Check if Vulnerable:
Check BleachBit version in Help > About. If version is 4.6.2 or lower, system is vulnerable.Check Version:
bleachbit --versionVerify Fix Applied:
Verify BleachBit version is 4.9.0 or higher. Check that uuid.dll is not present in WindowsApps directory.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing BleachBit loading DLLs from unexpected locations
- Process creation events for BleachBit with suspicious parent processes
Network Indicators:
- Unexpected outbound connections from BleachBit process
SIEM Query:
Process WHERE process_name = 'bleachbit.exe' AND (file_path CONTAINS 'WindowsApps' OR parent_process NOT IN ('explorer.exe', 'cmd.exe'))