CVE-2025-7073 is a local privilege escalation vulnerability identified in Bitdefender Total Security versions prior to 27.0.47.241. The root cause is improper link resolution before file access (CWE-59) in the bdservicehost.exe process. Specifically, this process deletes files located in the user-writable directory C:\ProgramData\Atc\Feedback without validating whether these files are symbolic links. This lack of validation enables attackers with low privileges to create symbolic links that point to arbitrary files elsewhere on the system, causing bdservicehost.exe to delete unintended files. The vulnerability is exploited through a multi-step chain: first, the attacker leverages the symbolic link vulnerability to delete arbitrary files; second, a file copy operation triggered during network events is abused to copy files arbitrarily; third, a filter driver bypass is achieved via DLL injection, allowing the attacker to execute code with elevated privileges. The exploit requires local access but no user interaction, and the scope includes confidentiality, integrity, and availability impacts due to arbitrary file deletion and code execution. The CVSS 4.0 vector (AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H) indicates a high complexity attack with partial privileges required but no user interaction. No patches are currently linked, and no known exploits are reported in the wild as of the publication date.

The vulnerability allows attackers with low-level local access to escalate privileges to elevated user levels, potentially SYSTEM or administrator. This can lead to full system compromise, unauthorized access to sensitive data, and disruption of security controls. Arbitrary file deletion can cause denial of service by removing critical system or application files. The ability to execute code with elevated privileges undermines the integrity and confidentiality of affected systems. Organizations relying on Bitdefender Total Security for endpoint protection may face increased risk of compromise, especially in environments where local access controls are weak or where attackers can gain initial footholds through other means. The chained exploitation technique increases the attack surface and complexity, making mitigation more urgent. The lack of known exploits currently reduces immediate risk but does not diminish the potential impact if weaponized. This vulnerability is particularly concerning for enterprises and government agencies that rely on Bitdefender for critical endpoint defense.

1. Immediately monitor for updates from Bitdefender and apply patches for Total Security version 27.0.47.241 or later as soon as they become available. 2. Restrict write permissions to the C:\ProgramData\Atc\Feedback directory to trusted system processes only, preventing unprivileged users from creating symbolic links or files in this location. 3. Implement application whitelisting and integrity monitoring to detect unauthorized DLL injections and filter driver bypass attempts. 4. Employ endpoint detection and response (EDR) solutions to monitor bdservicehost.exe behavior for unusual file deletions or network-triggered file copy operations. 5. Conduct regular audits of local user privileges and remove unnecessary local accounts to reduce the attack surface. 6. Educate system administrators about the risks of symbolic link attacks and ensure secure configuration of antivirus and endpoint security products. 7. Use system hardening techniques to limit the ability of low-privileged users to manipulate system directories and services. 8. Consider isolating critical endpoints or using virtualization/containerization to limit the impact of potential exploitation.