CVE-2025-3599 Overview
CVE-2025-3599 is an Elevation of Privilege vulnerability affecting Symantec Endpoint Protection Windows Agent with ERASER Engine versions prior to 119.1.7.8. This vulnerability may allow an attacker to delete resources that are normally protected from an application or user, potentially compromising system integrity and disrupting endpoint protection capabilities.
Critical Impact
This vulnerability enables attackers to bypass security boundaries and delete protected resources, which could be leveraged to disable security controls or remove critical system files on Windows endpoints running vulnerable Symantec Endpoint Protection agents.
Affected Products
- Broadcom Symantec ERASER Engine (versions prior to 119.1.7.8)
- Broadcom Symantec Endpoint Protection for Windows
- Windows systems running vulnerable ERASER Engine components
Discovery Timeline
- April 30, 2025 - CVE-2025-3599 published to NVD
- August 21, 2025 - Last updated in NVD database
Technical Details for CVE-2025-3599
Vulnerability Analysis
This vulnerability stems from a Time-of-Check Time-of-Use (TOCTOU) race condition, as indicated by the associated CWE-367 classification. In TOCTOU vulnerabilities, a timing gap exists between when a program checks a condition (such as file permissions or resource availability) and when it uses the result of that check. During this window, an attacker can manipulate the state of the resource, leading to unintended consequences.
In the context of the Symantec Endpoint Protection ERASER Engine, this race condition enables unauthorized deletion of protected resources. The ERASER Engine, which is responsible for remediation and cleanup operations, may improperly validate resource access before performing delete operations. An attacker who can win the race condition could redirect deletion operations to target arbitrary protected files or system resources.
The network-based attack vector suggests that exploitation may be possible without local access to the target system, increasing the potential impact across enterprise environments.
Root Cause
The root cause of CVE-2025-3599 is a Time-of-Check Time-of-Use (TOCTOU) race condition (CWE-367) within the ERASER Engine component. The vulnerability occurs when the engine fails to atomically verify and maintain security constraints on resources between the time it checks their protection status and the time it performs deletion operations. This timing window can be exploited by an attacker to manipulate which resources are targeted for deletion, effectively bypassing the intended access controls.
Attack Vector
The vulnerability is exploitable over the network without requiring authentication or user interaction. An attacker could potentially exploit this race condition by:
- Triggering the ERASER Engine's remediation or cleanup functionality
- Manipulating file system resources or symbolic links during the timing window between the security check and the actual deletion operation
- Redirecting the deletion operation to target protected system files, security configurations, or other critical resources
The vulnerability results in high integrity impact, allowing attackers to delete or modify resources that should be protected by the endpoint security agent.
The TOCTOU race condition in the ERASER Engine can be exploited when an attacker manipulates file system objects during the window between permission verification and deletion execution. This typically involves creating symbolic links or junctions that redirect the deletion operation to protected targets after the initial security check passes. Technical details are available in the Broadcom Security Advisory.
Detection Methods for CVE-2025-3599
Indicators of Compromise
- Unexpected deletion of protected system files or security configurations on endpoints running Symantec Endpoint Protection
- Suspicious file system activity involving symbolic links or junctions in directories monitored by the ERASER Engine
- Log entries indicating failed or redirected remediation operations within Symantec Endpoint Protection
- Missing security agent components or disabled protection features without authorized administrative action
Detection Strategies
- Monitor file system activity for race condition exploitation patterns, particularly rapid creation of symbolic links followed by deletion operations
- Implement integrity monitoring on critical system files and Symantec Endpoint Protection configuration directories
- Review Symantec Endpoint Protection logs for anomalous remediation events or unexpected file deletions
- Deploy SentinelOne Singularity to detect and prevent privilege escalation attempts targeting endpoint security products
Monitoring Recommendations
- Enable detailed audit logging for file system operations on protected directories
- Configure alerts for modifications to Symantec Endpoint Protection installation directories and configuration files
- Monitor for process behavior anomalies associated with the ERASER Engine component (ccEraser.dll and related binaries)
- Implement real-time file integrity monitoring for security-critical system resources
How to Mitigate CVE-2025-3599
Immediate Actions Required
- Update the ERASER Engine to version 119.1.7.8 or later as specified in the Broadcom security advisory
- Verify all Symantec Endpoint Protection Windows Agents in your environment are running patched ERASER Engine versions
- Review systems for any signs of compromise or unauthorized resource deletion
- Consider temporarily restricting network access to potentially vulnerable endpoints until patches are applied
Patch Information
Broadcom has released a security update addressing this vulnerability. Organizations should update the ERASER Engine to version 119.1.7.8 or later. The security advisory and patch details are available at the Broadcom Security Advisory #25659.
Enterprise administrators should use their Symantec Endpoint Protection Manager console to deploy the updated ERASER Engine definitions across all managed endpoints. Standalone installations should be manually updated using the latest available packages from Broadcom support.
Workarounds
- Implement network segmentation to limit exposure of vulnerable endpoints
- Apply additional access controls to restrict which processes can create symbolic links or junctions in sensitive directories
- Deploy compensating controls using SentinelOne to monitor and prevent exploitation attempts
- Consider using application whitelisting to restrict execution in directories commonly targeted by TOCTOU exploits
# Verify ERASER Engine version on Windows endpoints
# Check the installed version in Symantec Endpoint Protection
reg query "HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion" /v PRODUCTVERSION
# Review ERASER Engine component version
dir "C:\Program Files\Symantec\Symantec Endpoint Protection\*eraser*" /s
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
