CVE-2025-7073 is a local privilege escalation vulnerability identified in Bitdefender Total Security 27.0.46.231. The root cause is improper link resolution before file access (CWE-59) in the bdservicehost.exe component. Specifically, the service deletes files from a directory (C:\ProgramData\Atc\Feedback) that is writable by standard users without validating whether the files are symbolic links. This lack of validation allows a low-privileged attacker to create symbolic links pointing to arbitrary files elsewhere on the system. When bdservicehost.exe attempts to delete these files, it inadvertently deletes arbitrary files, potentially including critical system or application files. The vulnerability is further exploited by chaining this arbitrary file deletion with a file copy operation that occurs during network events, combined with a filter driver bypass achieved through DLL injection. This chain enables the attacker to copy arbitrary files and execute code with elevated privileges, effectively escalating from a low-privileged user to a higher privileged context. The CVSS 4.0 score is 8.8 (high severity), reflecting the significant impact on confidentiality, integrity, and availability, as well as the complexity of exploitation requiring local access and partial user interaction. No patches or public exploits are currently available, but the vulnerability poses a serious risk to affected systems.

The vulnerability allows attackers with low-level access to escalate privileges to higher levels, potentially SYSTEM or administrative privileges. This can lead to full system compromise, unauthorized access to sensitive data, disruption of security controls, and persistence on affected machines. Organizations relying on Bitdefender Total Security 27.0.46.231 are at risk of attackers bypassing endpoint protection mechanisms and executing arbitrary code with elevated rights. The ability to delete arbitrary files can also cause denial-of-service conditions or corrupt critical system files, impacting system stability and availability. Given Bitdefender's widespread use in enterprise and consumer environments, the impact could be significant in sectors where endpoint security is critical, such as finance, healthcare, government, and critical infrastructure.

1. Immediately restrict write permissions on the C:\ProgramData\Atc\Feedback directory to prevent unprivileged users from creating symbolic links or files within it. 2. Monitor and audit the creation of symbolic links and unusual file deletion activities within user-writable directories. 3. Employ application whitelisting and behavior monitoring to detect and block suspicious DLL injection attempts and filter driver bypass techniques. 4. Isolate critical systems and limit local user privileges to the minimum necessary to reduce attack surface. 5. Once Bitdefender releases an official patch, deploy it promptly across all affected systems. 6. Consider using endpoint detection and response (EDR) tools to identify exploitation attempts related to this vulnerability. 7. Educate users about the risks of executing untrusted code or scripts that could facilitate local exploitation chains. 8. Implement strict network segmentation to limit the impact of compromised endpoints.