CVE-2025-7073 is a local privilege escalation vulnerability identified in Bitdefender Total Security version 27.0.46.231. The root cause is improper link resolution before file access (CWE-59) in the bdservicehost.exe process. Specifically, the service deletes files located in a user-writable directory (C:\ProgramData\Atc\Feedback) without validating whether the file path is a symbolic link. This flaw enables a low-privileged attacker to create symbolic links that redirect the deletion operation to arbitrary files, effectively allowing arbitrary file deletion. The vulnerability is further exploited by chaining it with a file copy operation that occurs during network events and a filter driver bypass achieved through DLL injection. This chain enables the attacker to copy arbitrary files and execute code with elevated privileges, escalating from a low-privileged user to a higher privilege level. The CVSS 4.0 base score is 8.8 (high severity), reflecting the significant impact on confidentiality, integrity, and availability, combined with the complexity of exploitation requiring local access and partial user interaction. No patches or known exploits are currently reported, but the vulnerability poses a serious risk to affected systems. The vulnerability affects Bitdefender Total Security, a widely used endpoint protection product, making it a critical concern for organizations relying on this software for security.

The impact of CVE-2025-7073 on European organizations is substantial due to the potential for local attackers to escalate privileges and execute arbitrary code with elevated rights. This can lead to full system compromise, unauthorized access to sensitive data, disruption of security controls, and potential lateral movement within networks. Organizations relying on Bitdefender Total Security for endpoint protection could see their defenses bypassed, undermining overall security posture. Critical sectors such as finance, healthcare, government, and critical infrastructure are particularly at risk, as attackers could leverage this vulnerability to gain footholds and conduct espionage, sabotage, or data theft. The requirement for local access limits remote exploitation but does not eliminate risk, especially in environments with many users or where attackers can gain initial footholds via phishing or insider threats. The absence of known exploits in the wild currently reduces immediate risk but also means organizations must proactively prepare for potential future exploitation.

1. Apply official patches from Bitdefender promptly once released to address the vulnerability. 2. Until patches are available, restrict write permissions on the directory C:\ProgramData\Atc\Feedback to trusted administrators only, preventing unprivileged users from creating symbolic links or manipulating files there. 3. Implement strict application whitelisting and code integrity policies to detect and block unauthorized DLL injections and filter driver bypass attempts. 4. Monitor system logs and endpoint detection tools for unusual file deletion activities, symbolic link creations, and DLL injection behaviors related to bdservicehost.exe. 5. Employ network segmentation and least privilege principles to limit local user access and reduce the attack surface. 6. Educate users and administrators about the risks of local privilege escalation and encourage vigilance against suspicious activities. 7. Conduct regular security audits and penetration tests focusing on local privilege escalation vectors to identify and remediate similar weaknesses.