CVE-2025-21420

HIGH

Windows Disk Cleanup Tool - Elevation of Privilege via Improper Link Resolution

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2025-21420. PoCs published by Network-Sec, moiz-2x, toxy4ny.

AI-analyzed exploit summary This PoC demonstrates a DLL sideloading vulnerability in the Windows Disk Cleanup Tool (cleanmgr.exe) to achieve privilege escalation by placing a malicious DLL in a specific path, which gets executed when cleanmgr.exe is run.

Description

Windows Disk Cleanup Tool Elevation of Privilege Vulnerability

Exploits (4)

nomisec WORKING POC 98 stars
by Network-Sec · poc
https://github.com/Network-Sec/CVE-2025-21420-PoC

This PoC demonstrates a DLL sideloading vulnerability in the Windows Disk Cleanup Tool (cleanmgr.exe) to achieve privilege escalation by placing a malicious DLL in a specific path, which gets executed when cleanmgr.exe is run.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Windows Disk Cleanup Tool (cleanmgr.exe)
Auth required
Prerequisites: Ability to place a malicious DLL in a specific directory · Execution of cleanmgr.exe with elevated privileges
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 56 stars
by moiz-2x · poc
https://github.com/moiz-2x/CVE-2025-21420_POC

This PoC exploits CVE-2025-21420 by creating specific folders and files to trigger the SilentCleanup task, which deletes contents in a way that can be redirected to escalate privileges. The exploit leverages arbitrary folder deletion to achieve SYSTEM-level privileges.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows (cleanmgr.exe with SilentCleanup task)
Auth required
Prerequisites: Local access to the target system · Ability to create folders and files in specific directories · SilentCleanup task must be present and executable
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP 7 stars
by toxy4ny · poc
https://github.com/toxy4ny/edge-maradeur

The repository contains a README describing a BadUSB script that exploits CVE-2025-21420 and CVE-2025-21401 to elevate privileges and bypass security features in Windows Disk Cleanup and Microsoft Edge. No actual exploit code is provided.

Classification
Writeup 30%
Attack Type
Lpe
Complexity
Theoretical
Reliability
Theoretical
Target: Microsoft Windows (Disk Cleanup) and Microsoft Edge
No auth needed
Prerequisites: Physical access or BadUSB deployment · Vulnerable version of Windows and Edge
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by Dmitri131313 · poc
https://github.com/Dmitri131313/CVE-2025-21420-PoC

This repository contains a functional proof-of-concept for CVE-2025-21420, demonstrating a DLL sideloading vulnerability in the Windows Disk Cleanup Tool (cleanmgr.exe). The PoC includes a malicious DLL that spawns multiple shells when loaded by cleanmgr.exe, leveraging the tool's elevation of privilege to execute arbitrary code.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Windows Disk Cleanup Tool (cleanmgr.exe)
No auth needed
Prerequisites: DLL sideloading setup · cleanmgr.exe execution with elevated privileges
devstral-2 · analyzed Mar 20, 2026 Full analysis →

References (1)

Core 1
Core References
Patch, Vendor Advisory vendor-advisory patch
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21420

Scores

CVSS v3 7.8
EPSS 0.0333
EPSS Percentile 87.0%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-59
Status published
Products (15)
microsoft/windows_10_1507 < 10.0.10240.20915 (2 CPE variants)
microsoft/windows_10_1607 < 10.0.14393.7785 (2 CPE variants)
microsoft/windows_10_1809 < 10.0.17763.6893 (2 CPE variants)
microsoft/windows_10_21h2 < 10.0.19044.5487
microsoft/windows_10_22h2 < 10.0.19045.5487
microsoft/windows_11_22h2 < 10.0.22621.4890
microsoft/windows_11_23h2 < 10.0.22631.4890
microsoft/windows_11_24h2 < 10.0.26100.3194
microsoft/windows_server_2012
microsoft/windows_server_2012 r2
... and 5 more
Published Feb 11, 2025
Tracked Since Feb 18, 2026