CVE-2025-66680 Overview
CVE-2025-66680 is an arbitrary file deletion vulnerability in the WiseDelfile64.sys kernel driver shipped with WiseCleaner Wise Force Deleter version 7.3.2 and earlier. The driver exposes functionality that allows a local, low-privileged attacker to send a crafted request and delete arbitrary files on the system. Because the driver runs in kernel context, it can bypass file permissions that would normally restrict a standard user. The flaw is categorized under CWE-59: Improper Link Resolution Before File Access. A proof-of-concept is publicly available on GitHub.
Critical Impact
Local attackers with low privileges can delete protected system or application files, enabling denial of service, tampering with security products, and potential privilege escalation chains.
Affected Products
- WiseCleaner Wise Force Deleter 7.3.2
- WiseCleaner Wise Force Deleter versions prior to 7.3.2
- WiseDelfile64.sys kernel driver component
Discovery Timeline
- 2026-03-03 - CVE-2025-66680 published to NVD
- 2026-03-05 - Last updated in NVD database
Technical Details for CVE-2025-66680
Vulnerability Analysis
Wise Force Deleter is a utility marketed to remove locked or stubborn files. It installs WiseDelfile64.sys, a signed kernel driver that performs file deletion in kernel mode to bypass user-mode file locks. The driver exposes an IOCTL interface to user-mode processes. The interface does not adequately validate the caller's privileges or the target path supplied in the request. A local user can open a handle to the driver and submit a crafted request specifying any file path. The driver then deletes the target file with kernel-level authority, ignoring standard access control list (ACL) restrictions. The publicly available proof-of-concept demonstrates deletion of files owned by SYSTEM from a standard user context.
Root Cause
The root cause is missing access control and insufficient path validation in the IOCTL handler of WiseDelfile64.sys. The driver trusts the path provided by the user-mode caller and does not enforce that the caller has the rights to delete the target. The [CWE-59] classification indicates improper link resolution, suggesting symbolic link or junction handling further amplifies the impact by allowing redirection of deletion operations to protected locations.
Attack Vector
Exploitation requires local code execution on the host with at least low-privileged user rights. The attacker loads the Wise Force Deleter product or interacts directly with an already-installed WiseDelfile64.sys device object. By issuing IOCTLs that contain attacker-chosen file paths, the attacker can delete files such as antivirus definitions, EDR agent binaries, scheduled task configurations, or DLLs whose subsequent reload triggers privileged code paths. See the public proof-of-concept repository for technical details on the IOCTL structure and exploitation primitives.
Detection Methods for CVE-2025-66680
Indicators of Compromise
- Presence of WiseDelfile64.sys loaded on systems where Wise Force Deleter is not an approved application.
- Unexpected deletion of files in protected directories such as C:\Windows\System32, C:\Program Files, or security product installation paths.
- Process handles to the \\.\WiseDelfile64 device object opened by unsigned or non-WiseCleaner binaries.
- Creation of symbolic links or junctions in user-writable directories immediately preceding file deletion events.
Detection Strategies
- Inventory endpoints for the WiseDelfile64.sys driver and flag installations on servers or workstations without a business justification.
- Monitor kernel driver load events (Windows Event ID 6 in Sysmon) for WiseDelfile64.sys and correlate with the loading process identity.
- Alert on DeviceIoControl calls targeting the Wise Force Deleter device from non-parent processes.
- Correlate file deletion telemetry against process lineage to detect non-administrative processes triggering deletions of SYSTEM-owned files.
Monitoring Recommendations
- Enable file integrity monitoring on security product directories and critical system paths.
- Stream Sysmon driver-load and file-delete events to a SIEM with rules tuned for vulnerable signed driver abuse (BYOVD).
- Track installations of optimization or cleanup utilities through software inventory tooling and review them quarterly.
How to Mitigate CVE-2025-66680
Immediate Actions Required
- Uninstall WiseCleaner Wise Force Deleter version 7.3.2 and earlier from all managed endpoints until a fixed release is verified.
- Remove or block loading of the WiseDelfile64.sys driver using the Microsoft Vulnerable Driver Blocklist.
- Restrict local administrative and developer rights on systems where the driver cannot be removed.
- Audit endpoints for unauthorized installations of Wise Force Deleter via software inventory.
Patch Information
As of the NVD publication on 2026-03-03, no vendor patch has been referenced in the advisory. Consult the WiseCleaner Wise Force Deleter product page for any updated release that addresses the IOCTL access control flaw. Until a fixed version is published, removal of the affected driver is the only reliable remediation.
Workarounds
- Enable the Microsoft Vulnerable Driver Blocklist via Windows Security to prevent WiseDelfile64.sys from loading.
- Apply Windows Defender Application Control (WDAC) policies that block the specific driver hash.
- Restrict standard users from installing third-party kernel drivers through group policy and AppLocker.
# Enable Microsoft Vulnerable Driver Blocklist (Windows 11 / Server 2022+)
# Run in elevated PowerShell
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\CI\Config" -Name "VulnerableDriverBlocklistEnable" -Value 1
# Remove the driver service if Wise Force Deleter is no longer needed
sc.exe stop WiseDelfile64
sc.exe delete WiseDelfile64
# Verify the driver is not loaded
driverquery /v | findstr /i "WiseDelfile64"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

