Executive Summary

CVE-2025-63945 is a local privilege escalation vulnerability in the Tencent iOA app on Windows devices. It arises from insecure handling of files and directories under the C:\Windows\Temp path, specifically involving symbolic link (symlink) attacks. A SYSTEM-privileged process named LegacyKB_ioa_win.exe, launched by the iOA component, creates and deletes certain directories within C:\Windows\Temp\TencentDownload with SYSTEM privileges.

Because unprivileged users can create and modify the TencentDownload directory, they can manipulate it to create symbolic links or junctions pointing to arbitrary system locations. This tricks the SYSTEM process into deleting arbitrary files or folders with SYSTEM privileges, enabling the attacker to escalate their privileges locally.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows a local unprivileged user to delete arbitrary files or directories on the system with SYSTEM-level privileges. This can lead to unauthorized modification or removal of critical system files, potentially compromising system integrity and security.

By exploiting this vulnerability, an attacker can escalate their privileges from a normal user to SYSTEM level, gaining full control over the affected Windows device. This can result in unauthorized access to sensitive data, installation of malicious software, or disruption of system operations.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves manipulation of the C:\Windows\Temp\TencentDownload directory and symbolic link (symlink) attacks targeting SYSTEM-privileged processes like LegacyKB_ioa_win.exe. Detection can focus on monitoring the presence and permissions of the TencentDownload directory and its subdirectories, as well as suspicious creation of symbolic links or junctions within this path.

• Check if the TencentDownload directory exists and its permissions: icacls C:\Windows\Temp\TencentDownload
• List symbolic links or junctions inside TencentDownload and its subdirectories: dir /AL /S C:\Windows\Temp\TencentDownload
• Monitor for the presence of ~* prefixed subdirectories inside TencentDownload: dir C:\Windows\Temp\TencentDownload\~*
• Use Sysinternals tools like Handle or Process Monitor to watch for opportunistic locks (OpLocks) or unusual file operations by LegacyKB_ioa_win.exe or Legacy_*.exe processes.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps focus on restricting unprivileged user permissions on the TencentDownload directory to prevent symlink or junction creation and manipulation.

• Restrict or remove Modify permissions for unprivileged users on C:\Windows\Temp\TencentDownload to prevent unauthorized directory and symlink manipulation.
• Monitor and audit the creation of symbolic links or junctions within the TencentDownload directory.
• Temporarily disable or restrict execution of LegacyKB_ioa_win.exe and related Legacy_*.exe processes if possible until a patch is applied.
• Apply any available patches or updates from Tencent addressing this vulnerability as soon as they are released.

Useful 0 Not Useful 0