CVE-2025-66680
Arbitrary File Deletion in WiseCleaner Wise Force Deleter
Publication date: 2026-03-03
Last updated on: 2026-03-05
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wisecleaner | wise_force_deleter | to 1.5.7.59 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-59 | The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-66680 is a vulnerability in the WiseDelfile64.sys component of WiseCleaner Wise Force Deleter version 7.3.2 and earlier. This vulnerability allows attackers to delete arbitrary files on a Windows system by sending a specially crafted request to the vulnerable driver.
Wise Force Deleter is a utility designed to forcibly unlock and delete files that are otherwise undeletable due to access restrictions or being in use by other processes. The vulnerability can be exploited by an attacker with local administrator privileges who can place the driver file in the Windows directory and execute a crafted binary to delete specified files.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with local administrator access to delete arbitrary files on your system, including critical system files. This can lead to system instability, denial of service, or loss of important data.
Because the attacker can delete files that are normally protected or in use, it bypasses typical Windows file access restrictions, increasing the risk of damage or disruption.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking for the presence and use of the vulnerable WiseDelfile64.sys driver and the Wise Force Deleter application version 1.5.7.59 or earlier on the system.
One approach is to verify if the driver file WiseDelfile64.sys exists in the C:\Windows directory, as the exploit involves placing this driver there.
Additionally, monitoring for suspicious execution of binaries that attempt to delete arbitrary files, especially those run with administrator privileges, can help detect exploitation attempts.
Specific commands that may assist in detection include:
- Using PowerShell or Command Prompt to check for the driver file: `dir C:\Windows\WiseDelfile64.sys`
- Listing loaded drivers to see if WiseDelfile64.sys is active: `sc queryex WiseDelfile64` or `driverquery | findstr WiseDelfile64`
- Checking installed software versions to identify if Wise Force Deleter 1.5.7.59 or earlier is present.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include removing or updating the vulnerable Wise Force Deleter software to a version later than 1.5.7.59 that does not contain the vulnerability.
Ensure that the WiseDelfile64.sys driver is not present in the C:\Windows directory or is not loaded as a driver.
Restrict local administrator privileges to trusted users only, as exploitation requires local admin rights.
Monitor and audit file deletion activities, especially those initiated by Wise Force Deleter or related processes.
If possible, uninstall Wise Force Deleter until a secure version is available.