CVE-2025-66680 Overview
CVE-2025-66680 is a high-severity vulnerability affecting the WiseDelfile64.sys kernel driver component of WiseCleaner Wise Force Deleter version 7.3.2 and earlier. This vulnerability allows local attackers with low privileges to delete arbitrary files on the system by sending specially crafted requests to the vulnerable driver. The flaw stems from improper link resolution (CWE-59), enabling attackers to abuse symlink or junction point mechanisms to target files outside of intended directories.
Critical Impact
Attackers can leverage this vulnerability to delete critical system files, security software components, or audit logs, potentially leading to system instability, denial of service, or facilitating further attacks by disabling security controls.
Affected Products
- WiseCleaner Wise Force Deleter version 7.3.2 and earlier
- Systems with WiseDelfile64.sys driver installed
- Windows operating systems running the affected software
Discovery Timeline
- 2026-03-03 - CVE-2025-66680 published to NVD
- 2026-03-05 - Last updated in NVD database
Technical Details for CVE-2025-66680
Vulnerability Analysis
This vulnerability resides in the WiseDelfile64.sys kernel driver, which is a component of Wise Force Deleter—a utility designed to forcefully delete locked or stubborn files on Windows systems. The driver operates at the kernel level with elevated privileges to bypass file locks and access restrictions that prevent normal file deletion.
The core issue is an improper link resolution vulnerability (CWE-59), where the driver fails to properly validate or canonicalize file paths before performing deletion operations. This allows an attacker to craft malicious requests that include symbolic links, junction points, or other path manipulation techniques to redirect the deletion operation to arbitrary files on the filesystem.
Since the driver runs with kernel-level privileges, it can delete files that the calling user would not normally have permission to remove. This includes protected system files, security software components, and files owned by other users or system processes.
Root Cause
The root cause of CVE-2025-66680 is insufficient input validation in the WiseDelfile64.sys driver when processing file deletion requests. The driver does not properly resolve symbolic links or junction points before performing the deletion operation, allowing attackers to abuse the TOCTOU (Time-of-Check to Time-of-Use) race condition window or directly pass symlinked paths to target arbitrary files. This is a classic example of CWE-59: Improper Link Resolution Before File Access.
Attack Vector
The attack requires local access to the system with low-level user privileges. An attacker can exploit this vulnerability by:
- Creating a symbolic link or junction point that points to a target file (e.g., a critical system file or security software component)
- Invoking the Wise Force Deleter driver through its exposed interface (typically via DeviceIoControl)
- Passing the symlink path to the driver for deletion
- The driver follows the symlink and deletes the actual target file with kernel-level privileges
The vulnerability does not require user interaction and can be exploited programmatically. Technical details and proof-of-concept information can be found in the GitHub PoC Repository.
Detection Methods for CVE-2025-66680
Indicators of Compromise
- Unexpected deletion of system files, security software components, or log files
- Creation of suspicious symbolic links or junction points in user-writable directories
- Unusual DeviceIoControl calls to the WiseDelfile64.sys driver from non-standard processes
- System instability or crashes following file integrity check failures
Detection Strategies
- Monitor for symbolic link or junction point creation in user-controlled directories followed by interactions with the WiseDelfile64.sys driver
- Implement file integrity monitoring on critical system files and security software directories
- Deploy endpoint detection rules that alert on DeviceIoControl calls to the Wise Force Deleter driver from unexpected processes
- Track process lineage to identify suspicious applications communicating with the vulnerable driver
Monitoring Recommendations
- Enable Windows Security Event logging for object access and handle manipulation events
- Configure SentinelOne Deep Visibility to monitor driver interactions and file system operations
- Implement real-time alerts for deletion of files in protected directories such as C:\Windows\System32 and security software installation paths
- Monitor for privilege escalation attempts that may follow arbitrary file deletion attacks
How to Mitigate CVE-2025-66680
Immediate Actions Required
- Review systems for installations of WiseCleaner Wise Force Deleter version 7.3.2 or earlier
- Consider temporarily uninstalling or disabling the affected software until a patch is available
- Restrict local access to systems where the vulnerable driver is installed
- Implement application allowlisting to prevent unauthorized processes from interacting with the driver
Patch Information
As of the last update on 2026-03-05, no vendor patch has been released for this vulnerability. Users should monitor the WiseCleaner official website for security updates. The vulnerability affects Wise Force Deleter version 7.3.2 and all earlier versions.
Workarounds
- Uninstall Wise Force Deleter if the functionality is not critical to operations
- Use Windows built-in file management tools or alternative software that does not have known vulnerabilities
- Implement strict access controls to limit which users can execute or interact with the driver
- Deploy SentinelOne endpoint protection with behavioral detection enabled to identify and block exploitation attempts
- Consider blocking the WiseDelfile64.sys driver via device installation policies if the software cannot be removed
# Example: Check for vulnerable driver installation
sc query WiseDelfile64
# If present and running, consider stopping the service
sc stop WiseDelfile64
# Disable automatic startup
sc config WiseDelfile64 start= disabled
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
