CVE-2025-63945
Privilege Escalation via Race Condition in Tencent iOA Windows App
Publication date: 2026-02-23
Last updated on: 2026-02-26
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tencent | ioa | to 210.9.28693.62001 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-59 | The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-63945 is a local privilege escalation vulnerability in the Tencent iOA app on Windows devices. It arises from insecure handling of files and directories under the C:\Windows\Temp path, specifically involving symbolic link (symlink) attacks. A SYSTEM-privileged process named LegacyKB_ioa_win.exe, launched by the iOA component, creates and deletes certain directories within C:\Windows\Temp\TencentDownload with SYSTEM privileges.
Because unprivileged users can create and modify the TencentDownload directory, they can manipulate it to create symbolic links or junctions pointing to arbitrary system locations. This tricks the SYSTEM process into deleting arbitrary files or folders with SYSTEM privileges, enabling the attacker to escalate their privileges locally.
How can this vulnerability impact me? :
This vulnerability allows a local unprivileged user to delete arbitrary files or directories on the system with SYSTEM-level privileges. This can lead to unauthorized modification or removal of critical system files, potentially compromising system integrity and security.
By exploiting this vulnerability, an attacker can escalate their privileges from a normal user to SYSTEM level, gaining full control over the affected Windows device. This can result in unauthorized access to sensitive data, installation of malicious software, or disruption of system operations.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves manipulation of the C:\Windows\Temp\TencentDownload directory and symbolic link (symlink) attacks targeting SYSTEM-privileged processes like LegacyKB_ioa_win.exe. Detection can focus on monitoring the presence and permissions of the TencentDownload directory and its subdirectories, as well as suspicious creation of symbolic links or junctions within this path.
- Check if the TencentDownload directory exists and its permissions: icacls C:\Windows\Temp\TencentDownload
- List symbolic links or junctions inside TencentDownload and its subdirectories: dir /AL /S C:\Windows\Temp\TencentDownload
- Monitor for the presence of ~* prefixed subdirectories inside TencentDownload: dir C:\Windows\Temp\TencentDownload\~*
- Use Sysinternals tools like Handle or Process Monitor to watch for opportunistic locks (OpLocks) or unusual file operations by LegacyKB_ioa_win.exe or Legacy_*.exe processes.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps focus on restricting unprivileged user permissions on the TencentDownload directory to prevent symlink or junction creation and manipulation.
- Restrict or remove Modify permissions for unprivileged users on C:\Windows\Temp\TencentDownload to prevent unauthorized directory and symlink manipulation.
- Monitor and audit the creation of symbolic links or junctions within the TencentDownload directory.
- Temporarily disable or restrict execution of LegacyKB_ioa_win.exe and related Legacy_*.exe processes if possible until a patch is applied.
- Apply any available patches or updates from Tencent addressing this vulnerability as soon as they are released.