CVE-2025-67905 Overview
CVE-2025-67905 is a local privilege escalation vulnerability in Malwarebytes AdwCleaner before version 8.7.0. The application runs with Administrator privileges and performs an insecure log file delete operation where the target location is user-controllable. This allows a non-admin user to escalate privileges to SYSTEM via a symbolic link attack. This vulnerability is related to CVE-2023-28892, indicating a pattern of similar file operation security issues in the product.
Critical Impact
A low-privileged local attacker can exploit this vulnerability to gain SYSTEM-level privileges by manipulating symbolic links during the log file deletion process, potentially leading to complete system compromise.
Affected Products
- Malwarebytes AdwCleaner versions before 8.7.0
Discovery Timeline
- 2026-02-17 - CVE-2025-67905 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2025-67905
Vulnerability Analysis
This vulnerability stems from improper handling of file operations when the AdwCleaner application deletes log files. The application runs with elevated Administrator privileges but fails to properly validate the target path before performing delete operations. Since the target location is user-controllable, an attacker with low privileges can create a symbolic link (junction point) that redirects the deletion to arbitrary system files or directories.
The exploitation requires the attacker to create a file in a specific folder path that the application expects, then replace or redirect that path using a symbolic link before the application performs its log file deletion. When AdwCleaner attempts to delete what it believes is a log file, it instead follows the symbolic link and deletes the attacker-specified target with SYSTEM privileges.
This class of vulnerability, categorized under CWE-269 (Improper Privilege Management), is particularly dangerous because it leverages legitimate application functionality to perform malicious actions with elevated privileges.
Root Cause
The root cause is the lack of proper validation and security checks when performing privileged file operations. The application fails to:
- Verify that the target path is not a symbolic link or junction point
- Ensure the operation stays within expected directories
- Drop privileges before performing file operations on user-controllable paths
This represents an instance of Improper Privilege Management (CWE-269) where the application does not adequately restrict the scope of privileged operations.
Attack Vector
The attack requires local access to the system with low-privilege user credentials. The attacker must:
- Identify the log file path used by AdwCleaner
- Create a symbolic link (or junction point) at the expected log file location pointing to a target system file or directory
- Trigger or wait for the application to perform its log deletion routine
- The delete operation follows the symbolic link and removes the attacker-specified target with SYSTEM privileges
This can be used to delete critical system files, replace protected executables, or manipulate security configurations, ultimately achieving SYSTEM-level code execution through various privilege escalation techniques.
Detection Methods for CVE-2025-67905
Indicators of Compromise
- Presence of symbolic links or junction points in AdwCleaner log directories
- Unexpected file deletions in system-protected directories occurring during AdwCleaner execution
- Anomalous process behavior where AdwCleaner accesses files outside its expected scope
Detection Strategies
- Monitor for symbolic link creation in directories associated with AdwCleaner log storage
- Implement file integrity monitoring on critical system files and directories
- Track privileged file deletion operations that traverse symbolic links
- Alert on AdwCleaner processes accessing or modifying files outside expected application directories
Monitoring Recommendations
- Enable Windows Security auditing for symbolic link creation events
- Configure endpoint detection to alert on suspicious junction point manipulation
- Monitor for privilege escalation patterns following AdwCleaner execution
- Review process creation events for unexpected child processes spawned by AdwCleaner
How to Mitigate CVE-2025-67905
Immediate Actions Required
- Update Malwarebytes AdwCleaner to version 8.7.0 or later immediately
- Restrict local user permissions where possible to limit attack surface
- Monitor systems for indicators of active exploitation
- Review system logs for signs of symbolic link abuse in application directories
Patch Information
Malwarebytes has addressed this vulnerability in AdwCleaner version 8.7.0. Organizations should update to the latest version as soon as possible. For additional details, refer to the Malwarebytes Security Advisory for CVE-2025-67905.
Workarounds
- Temporarily disable automatic log cleanup features in AdwCleaner if update is not immediately possible
- Implement application whitelisting to prevent unauthorized symbolic link creation in sensitive directories
- Use endpoint protection solutions to detect and block privilege escalation attempts
- Consider running AdwCleaner with reduced privileges in controlled environments until patched
# Configuration example
# Monitor for symbolic link creation in Windows using PowerShell
# Run this to audit junction points in common log directories
Get-ChildItem -Path "C:\ProgramData\Malwarebytes" -Recurse | Where-Object { $_.Attributes -match "ReparsePoint" }
# Enable auditing for file system operations
auditpol /set /subcategory:"File System" /success:enable /failure:enable
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
