CVE-2025-7073
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-10

Last updated on: 2026-05-18

Assigner: Bitdefender

Description
A local privilege escalation vulnerability in Bitdefender Total Security versions prior to 27.0.47.241 allows low-privileged attackers to elevate privileges. The issue arises from bdservicehost.exe deleting files from a user-writable directory (C:\ProgramData\Atc\Feedback) without proper symbolic link validation, enabling arbitrary file deletion. This issue is chained with a file copy operation during network events and a filter driver bypass via DLL injection to achieve arbitrary file copy and code execution as elevated user.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-10
Last Modified
2026-05-18
Generated
2026-06-16
AI Q&A
2025-12-10
EPSS Evaluated
2026-06-14
NVD
CVE-2025-7073
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
bitdefender antivirus to 30.0.25.77 (exc)
bitdefender endpoint_security_tools to 7.9.20.515 (exc)
bitdefender antivirus_plus to 27.0.47.241 (exc)
bitdefender internet_security to 27.0.47.241 (exc)
bitdefender total_security to 27.0.47.241 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a local privilege escalation issue in Bitdefender Total Security 27.0.46.231. It occurs because the process bdservicehost.exe deletes files from a user-writable directory (C:\ProgramData\Atc\Feedback) without properly validating symbolic links. This flaw allows a low-privileged attacker to create symbolic links that cause arbitrary files to be deleted. The vulnerability is further exploited through a chain involving a file copy operation during network events and a filter driver bypass via DLL injection, ultimately enabling arbitrary file copy and code execution with elevated privileges.

Impact Analysis

This vulnerability can allow an attacker with low privileges on the affected system to escalate their privileges to a higher level, potentially gaining administrative or system-level access. This could lead to unauthorized file deletion, arbitrary file copying, and execution of malicious code with elevated rights, compromising the security and integrity of the system.

Detection Guidance

Detection involves checking for the presence of vulnerable versions of Bitdefender products, specifically versions earlier than 27.0.46.231 for Total Security. Additionally, monitoring the directory C:\ProgramData\Atc\Feedback for suspicious symbolic links or unexpected file deletions can indicate exploitation attempts. Commands to list symbolic links in that directory on Windows PowerShell include: Get-ChildItem -Path 'C:\ProgramData\Atc\Feedback' -Recurse | Where-Object { $_.LinkType -ne $null } To check the version of Bitdefender Total Security installed, use: Get-ItemProperty 'HKLM:\Software\Bitdefender\Product' | Select-Object -ExpandProperty Version [1]

Mitigation Strategies

The immediate mitigation step is to update Bitdefender products to the fixed versions: Bitdefender Total Security, Internet Security, and Antivirus Plus to version 27.10.45.497 or later; Antivirus Free to version 30.0.25.77 or later; and Endpoint Security Tools for Windows to version 7.9.20.515 or later. Applying these updates will resolve the vulnerability by fixing the improper symbolic link validation and preventing arbitrary file deletion and privilege escalation. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-7073. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart