PoC Exploit Unveiled for Windows Disk Cleanup Elevation Vulnerability

Microsoft addressed a high-severity elevation of privilege vulnerability (CVE-2025-21420) in its Windows Disk Cleanup Utility (cleanmgr.exe) during February 2025’s Patch Tuesday.

The flaw, scoring 7.8 on the CVSS scale, enabled attackers to execute malicious code with SYSTEM privileges through DLL sideloading and a directory traversal technique.

Technical Analysis of CVE-2025-21420

The vulnerability stems from cleanmgr.exe’s failure to validate DLL loading paths and mitigate symbolic link attacks.

Key components include:

1. Exploitation Mechanism

• DLL Sideloading: Attackers plant malicious libraries (e.g., dokannp1.dll) in writable system directories. bashcp .\dokan1.dll C:\Users\\System32\System32\System32\dokannp1.dll cleanmgr /sageset:2 This command chain exploits path interception vulnerabilities to load unsigned DLLs.
• SilentCleanup Task Hijacking: The Windows Task Scheduler’s SilentCleanup task (running as SYSTEM) deletes folder contents without proper symlink checks. Attackers abuse this via: python# Exploit script structure os ...