CVE-2026-27115 Overview
CVE-2026-27115 is a path traversal vulnerability in ADB Explorer, a fluent UI for ADB (Android Debug Bridge) on Windows. The vulnerability allows any user to trigger recursive deletion of arbitrary directories on the Windows filesystem through an unvalidated command-line argument. This represents a significant threat to data integrity, as exploitation results in permanent, unrecoverable file deletion that bypasses the Windows Recycle Bin.
Critical Impact
Attackers can craft malicious shortcuts (.lnk) or batch scripts that launch ADB Explorer with a critical directory path as an argument, causing permanent recursive deletion of all subdirectories within the targeted path.
Affected Products
- ADB Explorer versions 0.9.26020 and below
- Windows systems running vulnerable ADB Explorer versions
Discovery Timeline
- 2026-02-20 - CVE-2026-27115 published to NVD
- 2026-02-20 - Last updated in NVD database
Technical Details for CVE-2026-27115
Vulnerability Analysis
This vulnerability stems from improper input validation (CWE-22: Path Traversal) in how ADB Explorer handles command-line arguments. The application accepts an optional path argument intended to set a custom data directory, but the validation only checks whether the provided path exists as a directory. This insufficient validation allows an attacker to specify any existing directory on the system.
The ClearDrag() method within the application calls Directory.Delete(dir, true) on every subdirectory of the attacker-specified path at both application startup and exit. The true parameter enables recursive deletion, meaning all files and nested subdirectories are permanently removed without confirmation and without being sent to the Recycle Bin.
The attack requires local access and user interaction—a victim must execute a malicious shortcut, batch file, or script that launches ADB Explorer with a crafted path argument. However, social engineering can easily facilitate this, as users may execute shortcuts without inspecting their properties.
Root Cause
The root cause is insufficient validation of the command-line path argument. The vulnerable code only verified that the supplied path exists as a directory (Directory.Exists(e.Args[0])), allowing any existing directory to be accepted. This permitted attackers to supply system-critical directories such as C:\Users\%USERNAME%\Documents or C:\Users\%USERNAME%\Desktop, which would then have all their subdirectories recursively deleted.
Attack Vector
The attack is local in nature and requires user interaction. An attacker must convince a victim to execute a malicious shortcut (.lnk file) or batch script that launches ADB Explorer with a target directory as an argument. The attack sequence proceeds as follows:
- Attacker creates a malicious shortcut or batch script targeting ADB Explorer
- The malicious launcher specifies a critical user directory (e.g., Documents, Desktop) as the path argument
- Victim executes the malicious launcher
- ADB Explorer starts and immediately begins recursive deletion via ClearDrag()
- All subdirectories and their contents are permanently deleted, bypassing the Recycle Bin
The security patch in version 0.9.26021 addresses this by fundamentally changing the validation logic:
// Read to force it to be set to Windows' culture
_ = Data.Settings.OriginalCulture;
+ // Similar to %LocalAppData%\ADB Explorer (but avoids virtualization for Store versions)
+ Data.AppDataPath = Path.Combine(Environment.GetEnvironmentVariable("USERPROFILE"), "AppData", "Local", AdbExplorerConst.APP_DATA_FOLDER);
+
if (e.Args.Length > 0)
{
- if (!Directory.Exists(e.Args[0]))
+ // verify that the provided path is valid - it should not exist as a directory, but its parent directory should exist
+ if (!Directory.Exists(FileHelper.GetParentPath(e.Args[0])) || Directory.Exists(e.Args[0]))
{
MessageBox.Show($"{Strings.Resources.S_PATH_INVALID}\n\n{e.Args[0]}", Strings.Resources.S_CUSTOM_DATA_PATH, MessageBoxButton.OK, MessageBoxImage.Error);
Current.Shutdown(1);
return;
}
- Data.AppDataPath = e.Args[0];
+ SettingsFilePath = Path.GetFullPath(e.Args[0]);
}
else
- Data.AppDataPath = Path.Combine(Environment.GetEnvironmentVariable("USERPROFILE"), "AppData", "Local", AdbExplorerConst.APP_DATA_FOLDER);
-
- SettingsFilePath = FileHelper.ConcatPaths(Data.AppDataPath, AdbExplorerConst.APP_SETTINGS_FILE, '\\');
+ SettingsFilePath = FileHelper.ConcatPaths(Data.AppDataPath, AdbExplorerConst.APP_SETTINGS_FILE, '\\');
try
{
Source: GitHub Commit Update
The fix inverts the validation logic: the provided path must NOT exist as a directory, but its parent directory must exist. This ensures only new, non-existent paths can be specified, preventing attackers from pointing to existing critical directories.
Detection Methods for CVE-2026-27115
Indicators of Compromise
- Unusual ADB Explorer process executions with command-line arguments pointing to sensitive directories
- Unexpected deletion of directory contents without user-initiated action
- Presence of suspicious .lnk shortcut files or batch scripts that reference ADB Explorer with path arguments
- Event logs showing rapid file system deletion operations coinciding with ADB Explorer execution
Detection Strategies
- Monitor process execution for ADBExplorer.exe with command-line arguments containing paths outside the expected AppData locations
- Implement endpoint detection rules to alert on recursive directory deletions following ADB Explorer process start
- Audit file system events for mass deletion operations affecting user profile directories
- Scan for malicious shortcut files that specify unexpected target paths for ADB Explorer
Monitoring Recommendations
- Enable Windows file auditing on critical user directories to track unexpected deletion events
- Configure process creation logging (Windows Security Event 4688) with command-line auditing enabled
- Monitor for unusual file system activity patterns indicating mass recursive deletion
- Review user-accessible shortcut files for suspicious command-line arguments
How to Mitigate CVE-2026-27115
Immediate Actions Required
- Upgrade ADB Explorer to version 0.9.26021 or later immediately
- Review and audit any existing ADB Explorer shortcuts for malicious command-line arguments
- Educate users about the risks of executing shortcuts from untrusted sources
- Consider restricting execution of ADB Explorer via application control policies until patched
Patch Information
The vulnerability has been fixed in ADB Explorer version 0.9.26021. The patch modifies the command-line argument validation to require that the specified path does not exist as a directory while its parent directory must exist. This prevents attackers from specifying existing directories as targets. The fix is available via the GitHub Release v0.9.26021.
For additional details, refer to the GitHub Security Advisory GHSA-rg2h-2p33-rxcr.
Workarounds
- Remove or restrict access to ADB Explorer until the patched version can be deployed
- Implement application whitelisting to prevent execution of ADB Explorer from non-standard locations
- Configure file system permissions to protect critical user directories from deletion by non-elevated processes
- Use backup solutions to enable recovery in case of accidental or malicious directory deletion
# Verify ADB Explorer version and remove vulnerable shortcuts
# Check installed version
Get-ItemProperty "HKCU:\Software\ADB Explorer" -ErrorAction SilentlyContinue | Select-Object Version
# Scan for suspicious shortcuts targeting ADB Explorer
Get-ChildItem -Path "$env:USERPROFILE" -Filter "*.lnk" -Recurse | ForEach-Object {
$shell = New-Object -ComObject WScript.Shell
$shortcut = $shell.CreateShortcut($_.FullName)
if ($shortcut.TargetPath -like "*ADBExplorer*" -and $shortcut.Arguments -ne "") {
Write-Warning "Suspicious shortcut found: $($_.FullName) with arguments: $($shortcut.Arguments)"
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
