Security researchers have released a proof-of-concept exploit for CVE-2025-21420, a critical elevation of privilege vulnerability affecting Windows Disk Cleanup tool (cleanmgr.exe).
The vulnerability leverages improper link resolution mechanisms to achieve SYSTEM-level privileges through the SilentCleanup task, potentially allowing attackers to gain complete control over affected Windows systems.
This disclosure highlights ongoing security challenges in Windows system utilities and demonstrates how seemingly benign maintenance tools can become vectors for privilege escalation attacks.
The newly discovered vulnerability stems from improper link resolution before file access, classified under CWE-59 according to Microsoft’s security advisory.
Analysis of the updated cleanmgr.exe binary reveals the inclusion of a call to the SetProcessMitigationPolicy function with MitigationPolicy set to 16, corresponding to ProcessRedirectionTrustPolicy.
This indicates that Microsoft has implemented Redirection Guard to address the underlying security flaw, suggesting the company was aware of potential junction point attacks against the Disk Cleanup utility.
The vulnerability exploits the SilentCleanup scheduled task, which executes cleanmgr.exe with elevated privileges to perform system maintenance operations.
Through process monitoring analysis, researchers discovered that the cleanup process checks for the existence of specific folders including C:$Windows.~WS, C:\ESD\Windows, and C:\ESD\Download without properly validating whether these paths represent legitimate directories or malicious junction points.
This oversight creates an opportunity for attackers to redirect the cleanup operation to target critical system directories.
Windows Disk Cleanup Privilege Escalation
The proof-of-concept exploit employs a sophisticated multi-stage attack chain that combines arbitrary folder deletion with junction point redirection techniques.
The attack begins by creating three specific folders: C:$Windows.~WS, C:\ESD\Windows, and C:\ESD\Download, followed by the insertion of dummy files to trigger the cleanup process.
The exploit then leverages two established techniques previously documented by security researchers Simon Zuckerbraun and enigma0x3.
The first technique, “From Arbitrary Folder Delete/Move/Rename to SYSTEM EoP,” targets the C:\Config.msi folder, which the SilentCleanup task has sufficient privileges to delete.
The second technique, “From Folder Contents Delete to SYSTEM EoP,” redirects the content cleanup operation from the intended ESD folders to the critical Config.msi directory.
This redirection is achieved through carefully crafted junction points that fool the cleanup process into operating on unintended targets while maintaining the elevated privileges inherited from the SilentCleanup task.
Mitigations
The successful exploitation of this vulnerability represents a significant security risk, as it provides a pathway for local privilege escalation that could be chained with other attacks to achieve complete system compromise.
The exploit’s reliance on the built-in SilentCleanup task makes it particularly concerning, as this scheduled task runs automatically with high privileges and is considered a trusted system component by most security solutions.
Security professionals recommend several immediate mitigation strategies while awaiting official patches from Microsoft.
Organizations should consider temporarily disabling the SilentCleanup scheduled task if feasible, though this may impact system maintenance operations.
Additionally, endpoint detection and response solutions should be configured to monitor for suspicious junction point creation and unusual file system operations in the ESD and Windows.~WS directories.
The researchers specifically note that antivirus solutions may detect this exploit technique, requiring exclusions for the FolderOrFileDeleteToSystem and FolderContentsDeleteToFolderDelete processes during testing scenarios.
This vulnerability disclosure underscores the importance of comprehensive security testing for system utilities and highlights how maintenance tools can become unexpected attack vectors when proper input validation and path resolution safeguards are not implemented.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
