CVE-2023-21725 Overview
CVE-2023-21725 is an elevation of privilege vulnerability in the Microsoft Windows Malicious Software Removal Tool (MSRT). The flaw combines a link-following weakness [CWE-59] with a race condition [CWE-362], allowing a local authenticated attacker to manipulate file system operations performed by the privileged tool. Successful exploitation lets the attacker write to or modify resources outside the intended scope, leading to integrity and availability compromise on the affected host. Microsoft published the advisory on January 10, 2023, and addressed the issue through an updated MSRT release.
Critical Impact
A local low-privileged user can escalate privileges by winning a race against MSRT file operations and redirecting them through symbolic links, resulting in high impact to integrity and availability.
Affected Products
- Microsoft Windows Malicious Software Removal Tool (versions prior to the January 2023 update)
- Windows hosts running MSRT delivered via Windows Update
- Systems where MSRT executes with elevated privileges during scheduled or on-demand scans
Discovery Timeline
- 2023-01-10 - CVE-2023-21725 published to NVD
- 2023-01-10 - Microsoft released the security update addressing the vulnerability
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-21725
Vulnerability Analysis
The vulnerability resides in how MSRT handles file system objects during its scanning and remediation routines. MSRT runs with elevated privileges to inspect and remove malicious files. The tool performs sequential checks and operations on file paths without atomically validating that the target object has not been substituted between checks. A local attacker who can predict or influence the paths accessed by MSRT can manipulate the file system state during this window.
The weakness is classified under two Common Weakness Enumerations. [CWE-59] covers improper link resolution before file access, commonly known as link following. [CWE-362] covers concurrent execution using shared resources without proper synchronization, the classic race condition pattern. Together they describe a Time-of-Check Time-of-Use (TOCTOU) exploitation pattern.
Root Cause
MSRT validates a file or directory at one point in time and operates on the same path later without enforcing that the underlying object remains unchanged. An unprivileged user with write access to a parent directory can swap a legitimate file for a symbolic link, junction, or hard link between the check and the use. The tool then performs its privileged operation against the attacker-controlled target.
Attack Vector
Exploitation requires local access and low privileges on the target system. The attacker must also win a timing race against MSRT, which raises attack complexity. Once the race is won, MSRT can be coerced into writing, deleting, or modifying files the attacker could not otherwise reach. The confidentiality impact is none, but integrity and availability impact are high because attacker-influenced operations execute under MSRT's privileged context.
No public proof-of-concept or exploit code is listed in the enriched data, and the vulnerability is not present on the CISA Known Exploited Vulnerabilities catalog. Refer to the Microsoft Security Update CVE-2023-21725 advisory for vendor technical details.
Detection Methods for CVE-2023-21725
Indicators of Compromise
- Creation of symbolic links, junctions, or hard links in directories accessed by MRT.exe or related MSRT working paths shortly before scheduled scans
- Unexpected file modifications or deletions on system files coincident with MSRT execution events
- MSRT log entries in %WINDIR%\debug\mrt.log showing operations against paths outside expected scan targets
Detection Strategies
- Monitor process creation events for MRT.exe and correlate with file system reparse point creation by non-administrative users
- Audit file system activity using Windows Security event ID 4663 for SYSTEM-context writes that follow recent reparse point creation by low-privileged users
- Hunt for repeated, rapid file rename or link operations in user-writable directories that overlap with MSRT scan windows
Monitoring Recommendations
- Enable object access auditing on directories where MSRT stages files and review for symbolic link creation events
- Track installed MSRT version through the registry key HKLM\SOFTWARE\Microsoft\RemovalTools\MRT to confirm hosts are running the patched build
- Alert on local accounts performing high-frequency file system operations during MSRT execution intervals
How to Mitigate CVE-2023-21725
Immediate Actions Required
- Install the latest version of the Windows Malicious Software Removal Tool through Windows Update or the Microsoft Update Catalog
- Verify the MSRT version on all managed endpoints and confirm it postdates the January 2023 release
- Restrict interactive logon rights on servers and shared workstations to limit which accounts can stage a local race condition
Patch Information
Microsoft addressed CVE-2023-21725 by releasing an updated Windows Malicious Software Removal Tool on January 10, 2023. The update is distributed automatically through Windows Update on supported systems. Administrators managing offline or air-gapped fleets should retrieve the updated MSRT package from the Microsoft Update Catalog and deploy it via existing patch management workflows. Full details are available in the Microsoft Security Update CVE-2023-21725 advisory.
Workarounds
- No vendor-supplied workaround replaces the patch; apply the updated MSRT build as the primary remediation
- Enforce the principle of least privilege so that standard users cannot create reparse points in sensitive directories by removing the SeCreateSymbolicLinkPrivilege from non-administrative accounts
- Disable or remove MSRT execution on systems where it is not required, and rely on the endpoint protection platform already in place
# Verify installed MSRT version on a Windows host
reg query "HKLM\SOFTWARE\Microsoft\RemovalTools\MRT" /v Version
# Review MSRT execution log for unexpected operations
type %WINDIR%\debug\mrt.log
# Audit symbolic link privilege assignment
whoami /priv | findstr SeCreateSymbolicLinkPrivilege
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
