CVE-2025-21373 Overview
CVE-2025-21373 is an Elevation of Privilege vulnerability affecting the Windows Installer service across a wide range of Microsoft Windows operating systems. This vulnerability allows a local attacker with low privileges to escalate their access to gain full control over an affected system. The flaw stems from improper link resolution before file access, classified under CWE-59 (Improper Link Resolution Before File Access), commonly known as a symlink attack vulnerability.
Critical Impact
A local attacker could exploit this vulnerability to elevate privileges from a standard user account to SYSTEM-level access, enabling complete compromise of the affected Windows system including the ability to install programs, modify data, and create new accounts with full user rights.
Affected Products
- Microsoft Windows 10 (versions 1507, 1607, 1809, 21H2, 22H2)
- Microsoft Windows 11 (versions 22H2, 23H2, 24H2)
- Microsoft Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019, 2022, 2022 23H2, 2025
Discovery Timeline
- February 11, 2025 - CVE-2025-21373 published to NVD
- February 26, 2025 - Last updated in NVD database
Technical Details for CVE-2025-21373
Vulnerability Analysis
This vulnerability exists within the Windows Installer service (msiexec.exe), a core Windows component responsible for the installation, maintenance, and removal of software. The flaw is categorized as an improper link resolution vulnerability (CWE-59), which occurs when the Windows Installer service follows symbolic links (symlinks) or junction points without properly validating their targets.
When the Windows Installer service performs privileged operations on files or directories, it may follow symbolic links created by a low-privileged attacker. This behavior can be exploited to redirect file operations to arbitrary locations, potentially overwriting critical system files or manipulating security-sensitive configurations with SYSTEM-level privileges.
The vulnerability requires local access and low-privilege user authentication, meaning an attacker must first gain access to the target system through another means before exploitation. However, no user interaction is required once the attacker has local access, making this vulnerability particularly dangerous in multi-user environments or scenarios where attackers have limited initial access.
Root Cause
The root cause of CVE-2025-21373 lies in the Windows Installer service's failure to properly validate symbolic links and junction points before performing file operations. When the installer service runs with elevated SYSTEM privileges, it processes file paths without adequately checking whether those paths contain symbolic links pointing to sensitive system locations.
This type of vulnerability, known as a symlink attack or link following vulnerability, occurs because:
- The Windows Installer service operates with SYSTEM-level privileges
- The service performs file operations on paths that can be influenced by low-privileged users
- Insufficient validation of symbolic links allows redirection of these file operations
- The time-of-check to time-of-use (TOCTOU) window enables exploitation
Attack Vector
The attack requires local access to the target system with a standard user account. An attacker would exploit this vulnerability through the following general approach:
- Identify a location where the Windows Installer service performs file operations
- Create a symbolic link or junction point at that location pointing to a sensitive target (such as system files or privileged directories)
- Trigger the Windows Installer service to perform operations that follow the symbolic link
- The installer service, running with SYSTEM privileges, performs the redirected operation on the attacker-specified target
This exploitation technique leverages the Windows Installer's elevated privileges to perform unauthorized actions on protected system resources. The vulnerability is particularly concerning because the Windows Installer service is a trusted system component that frequently handles privileged operations.
Detection Methods for CVE-2025-21373
Indicators of Compromise
- Unusual symbolic link or junction point creation in Windows Installer working directories (e.g., %TEMP%, %WINDIR%\Installer)
- Unexpected modifications to system files or directories by the msiexec.exe process
- Suspicious Windows Installer activity from non-administrative user accounts
- Creation of hardlinks or symlinks by non-privileged processes targeting system directories
Detection Strategies
- Monitor for suspicious symbolic link creation events using Windows Event Logging and Sysmon (Event IDs for file system changes)
- Deploy endpoint detection rules to identify msiexec.exe accessing unexpected file paths or following symbolic links to sensitive locations
- Implement file integrity monitoring on critical system directories to detect unauthorized modifications
- Use SentinelOne's behavioral AI to detect anomalous privilege escalation patterns associated with Windows Installer exploitation
Monitoring Recommendations
- Enable advanced auditing for file system operations, particularly symbolic link creation and Windows Installer activity
- Configure SIEM rules to alert on unusual patterns of Windows Installer service invocation by standard users
- Monitor for process creation events where msiexec.exe spawns child processes with elevated privileges
- Implement endpoint telemetry collection focusing on junction point and symlink operations in user-writable directories
How to Mitigate CVE-2025-21373
Immediate Actions Required
- Apply the February 2025 Microsoft security updates immediately to all affected Windows systems
- Prioritize patching domain controllers, critical servers, and multi-user systems where privilege escalation risks are highest
- Review and restrict user permissions on systems where patching cannot be immediately applied
- Enable enhanced Windows Defender protections and ensure endpoint security solutions are up to date
Patch Information
Microsoft has released security updates addressing this vulnerability as part of the February 2025 Patch Tuesday release. The official security advisory is available at the Microsoft Security Update Guide. Organizations should apply the appropriate update for their Windows version through Windows Update, WSUS, or Microsoft Update Catalog.
Patches are available for:
- Windows 10 versions 1507, 1607, 1809, 21H2, and 22H2
- Windows 11 versions 22H2, 23H2, and 24H2
- Windows Server 2008 SP2, 2008 R2 SP1, 2012, 2012 R2, 2016, 2019, 2022, 2022 23H2, and 2025
Workarounds
- Implement application whitelisting to control which applications can invoke the Windows Installer service
- Use Windows Defender Application Control (WDAC) or AppLocker policies to restrict MSI package execution
- Limit local access to systems and enforce least-privilege principles for user accounts
- Consider temporarily restricting symbolic link creation capabilities for standard users in high-security environments
# Verify patch installation status
wmic qfe list brief | findstr "KB"
# Check Windows Installer service status
sc query msiserver
# Review symbolic link privileges (PowerShell)
whoami /priv | Select-String "SeCreateSymbolicLinkPrivilege"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
