Microsoft has addressed a critical vulnerability in the Windows Disk Cleanup Tool (cleanmgr.exe) in the February 2025 Patch Tuesday security updates.
Tracked as CVE-2025-21420, the vulnerability has a CVSS rating of 7.8 and could allow a threat actor to gain SYSTEM privileges on an affected system.
The vulnerability was reported anonymously to Microsoft, and a security researcher subsequently published a proof-of-concept (PoC) exploit on GitHub.
.png
)
The exploit uses a DLL sideloading technique with cleanmgr.exe, which involves disguising and loading a malicious DLL that hijacks the tool’s execution path.
Windows Disk Cleanup Tool Vulnerability Exploit
The PoC exploit demonstrates DLL sideloading with cleanmgr.exe. DLL sideloading is a technique that enables an attacker to execute malicious code from within legitimate Windows binaries.
The researcher’s notes suggest that standard DLL sideloading techniques are used. While the exact mechanism for privilege escalation is still under investigation, scheduling cleanmgr.exe to run under the NT AUTHORITY\SYSTEM account or waiting for a system-triggered execution could be potential methods.
The GitHub page for the PoC provides the following instructions:
text$ cp .\dokan1.dll C:\Users\<username>\System32\System32\System32\dokannp1.dll
$ cleanmgr /sageset:2
The researcher added that regular DLL Sideloading would work, but they had not yet tested if it’s sufficient to have the second DLL name only or if the first, slightly different one is also used.
They are currently working on the PrivEsc part, but it’s very likely just scheduling cleanmgr.exe for NT-Authority\System or waiting until it’s triggered by the system, for example, by filling a disk or creating too many temporary files.
In its February 2025 Patch Tuesday release, Microsoft addressed this vulnerability. The patch includes fixes for 55 security flaws, among them four zero-day vulnerabilities, two of which are currently being exploited in the wild.
Users must install this update immediately to guard their systems against attacks. The exploit’s relative simplicity and the possibility for SYSTEM-level compromise make CVE-2025-21420 a serious threat.
Users who have not yet installed the February 2025 patch are advised to prioritize doing so to reduce the risk. The Microsoft Security Response Center website has more information about the patch and the other vulnerabilities addressed.
Microsoft’s February 2025 Patch Tuesday addressed 67 vulnerabilities, including three critical and 53 essential severity vulnerabilities. This includes four zero-day vulnerabilities, two of which have been actively exploited in attacks and two publicly disclosed.
The updates include patches for vulnerabilities in Microsoft Streaming Service, Windows LDAP, Windows NTLM, Windows DHCP Server, Microsoft Edge (Chromium-based), and Microsoft PC Manager.
The types of vulnerabilities fixed include Spoofing, Denial of Service (DoS), Elevation of Privilege (EoP), Information Disclosure, and Remote Code Execution (RCE).
Other zero-day vulnerabilities that were fixed include:
- CVE-2025-21418: A privilege escalation vulnerability in Windows Ancillary Function Driver for WinSock.
- CVE-2025-21391: A privilege escalation vulnerability in Windows Storage.
- CVE-2025-21194: A security feature bypass in Microsoft Surface.
- CVE-2025-21377: A spoofing vulnerability affecting NTLM Hash Disclosure.
Users are advised to apply the patches as soon as possible to mitigate the risks associated with these vulnerabilities.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response and Threat Hunting – Register Here
