CVE-2025-3599 – This CVE describes an Elevation of Privilege vu... (How to Fix)

Q: What is the severity of CVE-2025-3599?

CVE-2025-3599 has a CVSS score of 6.5 (MEDIUM). This CVE describes an Elevation of Privilege vulnerability in Symantec Endpoint Protection Windows Agent's ERASER Engine that allows attackers to delete protected resources. Affected systems are those running ERASER Engine versions prior to 119.1.7.8 on Windows platforms.

📋 TL;DR

This CVE describes an Elevation of Privilege vulnerability in Symantec Endpoint Protection Windows Agent's ERASER Engine that allows attackers to delete protected resources. Affected systems are those running ERASER Engine versions prior to 119.1.7.8 on Windows platforms.

💻 Affected Systems

Products:

Symantec Endpoint Protection Windows Agent

Versions: ERASER Engine versions prior to 119.1.7.8

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Windows versions of Symantec Endpoint Protection with vulnerable ERASER Engine.

📦 What is this software?

Symantec Eraser Engine by Broadcom

View all CVEs affecting Symantec Eraser Engine →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker gains administrative privileges and deletes critical system files, causing system instability or complete compromise.

🟠

Likely Case

Local attackers escalate privileges to delete protected files, potentially disrupting security software or system operations.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to isolated file deletions that can be detected and restored.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring local access to the system.

🏢 Internal Only: MEDIUM - Internal attackers with local access could exploit this to disrupt endpoint protection or system files.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access and some technical knowledge to exploit the privilege escalation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: ERASER Engine 119.1.7.8 or later

Vendor Advisory: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25659

Restart Required: Yes

Instructions:

1. Download latest Symantec Endpoint Protection update from Broadcom support portal. 2. Deploy update to all affected endpoints. 3. Restart systems to complete installation.

🔧 Temporary Workarounds

Restrict local access

windows

Limit local user access to systems running vulnerable Symantec Endpoint Protection

🧯 If You Can't Patch

Implement strict access controls to limit who has local access to affected systems
Enable detailed logging and monitoring for file deletion events in protected directories

🔍 How to Verify

Check if Vulnerable:

Check ERASER Engine version in Symantec Endpoint Protection console or registry: HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\ERASER Engine

Check Version:

reg query "HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\ERASER Engine" /v Version

Verify Fix Applied:

Verify ERASER Engine version is 119.1.7.8 or higher in Symantec Endpoint Protection management console

📡 Detection & Monitoring

Log Indicators:

Unexpected file deletion events in protected directories
Symantec Endpoint Protection service errors or restarts

Network Indicators:

None - this is a local privilege escalation

SIEM Query:

EventID:4663 AND ObjectName:"*\Program Files\Symantec\*" AND AccessMask:0x10000

📊 Metadata

CVE ID: CVE-2025-3599

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CWE: CWE-367

EPSS Score: 0.05% exploit probability (15.9th percentile)

Published: April 30, 2025

Last Updated: August 21, 2025

🔗 References

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25659 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-3599, you might also want to check these: