CVE-2025-67905 is a privilege escalation vulnerability affecting Malwarebytes AdwCleaner versions before 8.7.0. The core issue arises because AdwCleaner runs with Administrator privileges and performs log file deletions in an insecure manner where the target log file location is controllable by a non-administrative user. This allows an attacker with limited privileges to create a symbolic link (symlink) that redirects the log file deletion operation to an arbitrary system file. By carefully crafting this symlink, the attacker can cause the application to delete or modify critical system files, effectively escalating their privileges to SYSTEM level. The vulnerability is similar in nature to CVE-2023-28892, which also involved insecure file operations leading to privilege escalation. Exploitation requires the attacker to place a file in a specific folder path and intercept the log deletion flow, but does not require user interaction beyond that. The CVSS v3.1 score of 8.7 reflects the high impact on confidentiality, integrity, and availability, combined with relatively low attack complexity and the need for only low privileges to start the attack. No known public exploits have been reported yet, but the vulnerability poses a significant risk due to the high privileges of the affected process and the potential for full system compromise.

For European organizations, this vulnerability poses a significant risk especially in environments where Malwarebytes AdwCleaner is deployed for malware remediation. Successful exploitation can lead to full SYSTEM-level compromise, allowing attackers to bypass security controls, install persistent malware, steal sensitive data, or disrupt system operations. This can impact confidentiality by exposing sensitive information, integrity by allowing unauthorized modifications to system files, and availability by potentially causing system instability or denial of service. Organizations in sectors with high regulatory requirements such as finance, healthcare, and critical infrastructure could face severe compliance and operational consequences. The vulnerability is particularly concerning in multi-user environments where non-admin users have local access, such as corporate desktops or shared workstations. Given the widespread use of Malwarebytes products in Europe, the threat surface is considerable.

1. Upgrade Malwarebytes AdwCleaner to version 8.7.0 or later where this vulnerability is fixed. 2. Until patching is possible, restrict local user permissions to prevent unauthorized file creation in the folders targeted by AdwCleaner’s log deletion process. 3. Implement application whitelisting and endpoint protection to detect and block suspicious symbolic link creation or manipulation. 4. Monitor file system activity for unusual symlink creation or deletion operations in directories used by AdwCleaner. 5. Use Group Policy or endpoint management tools to enforce least privilege principles and limit administrative rights on endpoints. 6. Educate users about the risks of local privilege escalation and enforce strict access controls on shared machines. 7. Regularly audit installed software versions and patch management processes to ensure timely updates of security-critical applications.