CVE-2025-3599 Overview
CVE-2025-3599 affects the Symantec Endpoint Protection Windows Agent when running an ERASER Engine prior to version 119.1.7.8. The flaw allows an attacker to delete resources that are normally protected from an application or user, resulting in an elevation of privilege condition. Broadcom tracks the issue under Broadcom Security Advisory #25659. The root cause is a Time-of-Check Time-of-Use (TOCTOU) race condition [CWE-367] inside the engine responsible for removing malicious files and registry artifacts.
Critical Impact
An attacker can abuse the ERASER Engine to delete files and protected resources outside the attacker's normal authorization scope, undermining endpoint integrity and security tooling.
Affected Products
- Broadcom Symantec Endpoint Protection (Windows Agent)
- Broadcom Symantec ERASER Engine versions prior to 119.1.7.8
- Deployments using the embedded ERASER component for threat remediation
Discovery Timeline
- 2025-04-30 - CVE-2025-3599 published to NVD
- 2025-08-21 - Last updated in NVD database
Technical Details for CVE-2025-3599
Vulnerability Analysis
The ERASER Engine is the Symantec component responsible for forcibly removing malicious files, processes, and registry entries that standard Windows APIs cannot delete. It runs with elevated privileges and uses kernel-assisted operations to bypass file locks and access controls. The vulnerability stems from a race condition between when the engine validates a target path and when it performs the destructive operation against that path.
An attacker with the ability to manipulate the filesystem can swap a legitimate target for a sensitive system file between the check and the use. The engine then deletes a resource the calling user has no right to modify. This converts a remediation primitive into an arbitrary file delete primitive, a well-known stepping stone toward full privilege escalation on Windows.
Root Cause
The weakness maps to [CWE-367]: Time-of-Check Time-of-Use Race Condition. The ERASER Engine performs validation on a file path or handle, then re-resolves the path when executing the delete. Between those operations, the path can be redirected through symbolic links, junctions, or file replacement, causing the engine to act on a different object than the one it authorized.
Attack Vector
Exploitation requires the attacker to influence files or links accessible to the ERASER Engine while it processes a remediation task. By winning the race, the attacker coerces the privileged engine into deleting protected files such as service binaries, configuration data, or registry hives. Arbitrary file deletion on Windows is routinely chained with techniques like Windows Installer rollback abuse to obtain SYSTEM-level code execution.
No public proof-of-concept exploit is listed for CVE-2025-3599, and the issue is not present in the CISA Known Exploited Vulnerabilities catalog. The technical specifics of the race window are described in the Broadcom Security Advisory #25659.
Detection Methods for CVE-2025-3599
Indicators of Compromise
- Unexpected deletion of files in C:\Windows\System32, Program Files, or other directories normally protected from non-administrative users.
- Creation of NTFS junctions, mount points, or symbolic links inside directories that ERASER processes during remediation.
- ERASER Engine versions reported below 119.1.7.8 in Symantec Endpoint Protection client inventory.
- Service or driver start failures following routine antivirus remediation activity.
Detection Strategies
- Inventory all Windows endpoints running Symantec Endpoint Protection and confirm the ERASER Engine version through the SEP client Help > About dialog or management console reports.
- Correlate SEP remediation events with subsequent file-deletion telemetry to identify deletions that fall outside expected remediation paths.
- Hunt for non-administrative processes creating reparse points immediately before SEP scan or cleanup tasks execute.
Monitoring Recommendations
- Enable Windows Security event ID 4660 (object deleted) and 4663 (object access) on sensitive directories and monitor for deletions attributed to SEP processes such as ccSvcHst.exe.
- Forward SEP client logs to a centralized SIEM and alert on remediation actions targeting paths outside known malware quarantine locations.
- Track SEP version compliance as a continuous control and alert on rollback to vulnerable ERASER Engine builds.
How to Mitigate CVE-2025-3599
Immediate Actions Required
- Upgrade the Symantec ERASER Engine to version 119.1.7.8 or later on every Windows endpoint running Symantec Endpoint Protection.
- Verify content updates are flowing from the SEP Manager so the ERASER Engine receives the fixed build automatically.
- Restrict local administrative rights on workstations to limit which users can create junctions or symbolic links exploitable in the race window.
Patch Information
Broadcom addressed CVE-2025-3599 in ERASER Engine 119.1.7.8. The fixed engine is delivered through standard Symantec Endpoint Protection content updates and LiveUpdate channels. Administrators should confirm the deployed engine version after the next content update cycle. Full vendor guidance is available in Broadcom Security Advisory #25659.
Workarounds
- No vendor-supplied workaround replaces the engine update; apply the patched ERASER Engine as the primary control.
- Where patching is delayed, remove the SeCreateSymbolicLinkPrivilege from standard user accounts via Group Policy to reduce the practicality of TOCTOU exploitation.
- Enable tamper protection and monitor SEP client integrity to detect attempts to influence remediation targets.
# Verify ERASER Engine version via PowerShell on a Windows endpoint
Get-ItemProperty "HKLM:\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate" |
Select-Object ProductVersion, ASEngineVersion, EraserEngineVersion
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

