CVE-2025-7073 is a local privilege escalation vulnerability affecting Bitdefender Total Security 27.0.46.231. The vulnerability arises from improper handling of symbolic links by the bdservicehost.exe process, which deletes files from the user-writable directory C:\ProgramData\Atc\Feedback without validating whether the files are symbolic links. This improper link resolution (CWE-59) allows a low-privileged attacker to create malicious symbolic links that redirect file deletion operations to arbitrary files, enabling arbitrary file deletion. The vulnerability is further exploitable by chaining it with a file copy operation that occurs during network events and a filter driver bypass achieved through DLL injection. This chain allows an attacker to perform arbitrary file copy and ultimately execute code with elevated privileges, effectively escalating from a low-privileged user to a higher privileged context. The CVSS 4.0 base score is 8.8 (high severity), reflecting the significant impact on confidentiality, integrity, and availability, the requirement for local access with partial privileges, and the absence of user interaction. No patches or known exploits are currently reported, but the vulnerability's complexity and impact make it a critical concern for affected users. The issue highlights the risks of improper symbolic link validation in security software components that operate with elevated privileges and interact with user-writable directories.

For European organizations, this vulnerability poses a serious threat to endpoint security and overall network integrity. Successful exploitation could allow attackers to gain elevated privileges on systems protected by Bitdefender Total Security, potentially bypassing security controls and gaining persistent access. This could lead to unauthorized access to sensitive data, disruption of security monitoring, and further lateral movement within corporate networks. Organizations in sectors such as finance, healthcare, government, and critical infrastructure, which often deploy Bitdefender solutions, could face significant operational and reputational damage. The ability to execute arbitrary code with elevated privileges increases the risk of ransomware deployment, data exfiltration, and sabotage. Given the local access requirement, insider threats or attackers who have already compromised low-privileged accounts are the primary risk vectors. The lack of known exploits in the wild provides a window for proactive mitigation before widespread exploitation occurs.

Organizations should immediately audit and restrict permissions on the C:\ProgramData\Atc\Feedback directory to prevent unauthorized users from creating or modifying symbolic links. Employ application whitelisting and endpoint detection to monitor suspicious activities related to bdservicehost.exe and DLL injection attempts. Since no official patch is currently available, consider deploying host-based intrusion prevention systems (HIPS) to detect and block attempts to exploit symbolic link vulnerabilities. Network segmentation and strict access controls can limit the ability of low-privileged users to reach critical systems. Regularly review and harden security software configurations to minimize writable directories accessible by non-administrative users. Monitor system logs for unusual file deletion or copy operations involving bdservicehost.exe. Engage with Bitdefender support for updates or patches and apply them promptly once released. Finally, conduct user awareness training to reduce insider threat risks and ensure rapid incident response capabilities are in place.