Windows Disk Cleanup Tool Vulnerability Allows SYSTEM Privileges Exploitation: CVE-2025-21420 Patched

February 20, 2025

Microsoft has patched a significant vulnerability in its Windows Disk Cleanup Tool (cleanmgr.exe) as part of the February 2025 Patch Tuesday. The vulnerability, identified as CVE-2025-21420, could enable a threat actor to acquire SYSTEM privileges on a vulnerable system. This flaw, which has a CVSS rating of 7.8, presents a substantial threat to Windows users.

The vulnerability was disclosed to Microsoft anonymously, and a proof-of-concept (PoC) exploit was subsequently published on GitHub by a security researcher. The exploit makes use of a DLL sideloading technique with cleanmgr.exe, demonstrating how a malicious DLL could be disguised and loaded by the Disk Cleanup tool, effectively hijacking its execution path.

The researcher's notes suggest that standard DLL sideloading techniques are used. While the exact mechanism for privilege escalation is still under investigation, they proposed that scheduling cleanmgr.exe to run under the NT AUTHORITYSYSTEM account or waiting for a system-triggered execution (for instance, due to low disk space or an abundance of temporary files) could be potential methods.

In its February 2025 Patch Tuesday release, Microsoft addressed this vulnerability. The patch includes fixes for 55 security flaws, among them four zero-day vulnerabilities, two of which are currently being exploited in the wild. Users are urged to install this update immediately to guard their systems against potential attacks.

The exploit's relative simplicity, along with the possibility for SYSTEM-level compromise, makes CVE-2025-21420 a serious threat. Users who have not yet installed the February 2025 patch are advised to prioritize doing so to reduce the risk. More information about the patch and the other vulnerabilities addressed can be found on the Microsoft Security Response Center website.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.