Local Privilege Escalation via Arbitrary File Operation in Bitdefender ATC (VA-12590)

CVE-2025-7073

CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Bitdefender

Total Security; Internet Security; Antivirus Plus; Antivirus Free; Endpoint Security Tools for Windows

A local privilege escalation vulnerability in the Active Threat Control module as used in Bitdefender Total Security, Internet Security Antivirus Plus versions earlier than 27.0.46.231 and Antivirus Free version earlier than 30.0.25.77
and Bitdefender Endpoint Security Tools for Windows versions earlier than 7.9.20.515 allows low-privileged attackers to elevate privileges. The issue arises from bdservicehost.exe deleting files from a user-writable directory (C:\ProgramData\Atc\Feedback) without proper symbolic link validation, enabling arbitrary file deletion. This issue is chained with a file copy operation during network events and a filter driver bypass via DLL injection to achieve arbitrary file copy and code execution as elevated user.

An automatic update to the following product versions fixes the issue:- Bitdefender Total Security product version 27.10.45.497- Bitdefender Internet Security product version 27.10.45.497- Bitdefender Antivirus Plus product version 27.10.45.497- Bitdefender Antivirus Free product version 30.0.25.77- Bitdefender Endpoint Security Tools for Windows product version 7.9.20.515

Filip Dragovic (@filip_dragovic)