How to fix CVE-2025-7073?

Within 24 hours: Inventory all Bitdefender deployments and identify systems running versions prior to 27.0.47.241 across Total Security, Antivirus, Internet Security, and Endpoint Security Tools. Within 7 days: Deploy vendor patch to version 27.0.47.241 or later to all affected systems, prioritizing high-value assets and systems with network-facing roles. Within 30 days: Complete patching of all remaining vulnerable instances and verify deployment through endpoint management tools; conduct audit of privileged access logs during vulnerability window for suspicious activity.

Is Windows affected by CVE-2025-7073?

Bitdefender Total Security, Antivirus, Internet Security, and Endpoint Security Tools versions before 27.0.47.241 contain a local privilege escalation vulnerability that allows low-privileged users to execute arbitrary code with SYSTEM-level permissions through a multi-stage attack chain.

CVE-2025-7073

HIGH

2025-12-10 [email protected]

8.8

CVSS 4.0

CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Mar 31, 2026 - 12:22 vuln.today

CVE Published

Dec 10, 2025 - 10:16 nvd

HIGH 8.8

Description

A local privilege escalation vulnerability in Bitdefender Total Security versions prior to 27.0.47.241 allows low-privileged attackers to elevate privileges. The issue arises from bdservicehost.exe deleting files from a user-writable directory (C:\ProgramData\Atc\Feedback) without proper symbolic link validation, enabling arbitrary file deletion. This issue is chained with a file copy operation during network events and a filter driver bypass via DLL injection to achieve arbitrary file copy and code execution as elevated user.

Analysis

Bitdefender Total Security, Antivirus, Internet Security, and Endpoint Security Tools prior to version 27.0.47.241 allow local attackers with low privileges to execute arbitrary code as SYSTEM through a complex attack chain. The bdservicehost.exe service deletes files from C:\ProgramData\Atc\Feedback without validating symbolic links (CWE-59), enabling arbitrary file deletion that attackers chain with network-triggered file copy operations and filter driver bypass via DLL injection to achieve full privilege escalation. EPSS indicates 0.02% exploitation probability (6th percentile), and no public exploit code or active exploitation has been identified at time of analysis. Vendor has released patches addressing this multi-stage local escalation vector.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +44

POC: 0

CVE-2025-7073 vulnerability details – vuln.today

Back

CVE-2025-7073

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Priority Score

Share

CVE-2025-7073

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Priority Score

Share

External POC / Exploit Code