CVE-2025-7073
📋 TL;DR
This CVE describes a local privilege escalation vulnerability in Bitdefender Total Security where low-privileged attackers can delete arbitrary files via a symbolic link attack, then chain this with file copy operations and DLL injection to achieve SYSTEM-level code execution. It affects Windows systems running the vulnerable Bitdefender version. Attackers need local access to exploit this vulnerability.
💻 Affected Systems
- Bitdefender Total Security
📦 What is this software?
Antivirus by Bitdefender
Antivirus Plus by Bitdefender
Internet Security by Bitdefender
Total Security by Bitdefender
⚠️ Risk & Real-World Impact
Worst Case
Full SYSTEM-level compromise allowing attackers to install persistent malware, steal credentials, disable security controls, and pivot to other systems on the network.
Likely Case
Local privilege escalation to SYSTEM privileges enabling installation of backdoors, credential dumping, and lateral movement within the network.
If Mitigated
Limited to low-privileged user capabilities if proper access controls prevent local user access or if the vulnerability is patched.
🎯 Exploit Status
Exploitation requires local access and involves multiple steps: symbolic link creation, file deletion, file copy chaining, and DLL injection. The vulnerability details are publicly disclosed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to latest version (check Bitdefender for specific fixed version)
Vendor Advisory: https://www.bitdefender.com/support/security-advisories/local-privilege-escalation-via-arbitrary-file-operation-in-bitdefender-atc-va-12590
Restart Required: Yes
Instructions:
1. Open Bitdefender interface 2. Check for updates 3. Install available updates 4. Restart computer 5. Verify update completed successfully
🔧 Temporary Workarounds
Restrict access to vulnerable directory
windowsSet restrictive permissions on C:\ProgramData\Atc\Feedback to prevent low-privileged users from writing to it
icacls "C:\ProgramData\Atc\Feedback" /inheritance:r
icacls "C:\ProgramData\Atc\Feedback" /grant SYSTEM:F
icacls "C:\ProgramData\Atc\Feedback" /grant Administrators:F
Monitor symbolic link creation
windowsEnable auditing for symbolic link creation in vulnerable directories
auditpol /set /subcategory:"File System" /success:enable /failure:enable
🧯 If You Can't Patch
- Implement strict access controls to prevent low-privileged users from accessing systems with Bitdefender
- Monitor for suspicious file operations in C:\ProgramData\Atc\Feedback directory and DLL injection attempts
🔍 How to Verify
Check if Vulnerable:
Check Bitdefender version in the application interface or via 'wmic product where name="Bitdefender Total Security" get version'Check Version:
wmic product where name="Bitdefender Total Security" get versionVerify Fix Applied:
Verify Bitdefender version is newer than 27.0.46.231 and check that C:\ProgramData\Atc\Feedback directory has proper permissions📡 Detection & Monitoring
Log Indicators:
- File deletion events in C:\ProgramData\Atc\Feedback by bdservicehost.exe
- Symbolic link creation in vulnerable directories
- DLL injection attempts into SYSTEM processes
Network Indicators:
- Unusual outbound connections from SYSTEM processes post-exploitation
SIEM Query:
process_name="bdservicehost.exe" AND file_path="C:\\ProgramData\\Atc\\Feedback\\*" AND action="delete"