Skip to main content

Glary Utilities CVE-2026-15684

HIGH
Improper Link Resolution Before File Access (CWE-59)
2026-07-13 zdi
7.3
CVSS 3.0 · Vendor: zdi
Share

Severity by source

Vendor (zdi) PRIMARY
7.3 HIGH
AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
6.6 MEDIUM

Local low-priv attacker with required user interaction abuses a junction for arbitrary delete escalating to SYSTEM (I:H/A:H); no direct data disclosure so C:N, though vendor rates C:H via code-exec chaining.

3.1 AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (zdi).

CVSS VectorVendor: zdi

CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 22:08 vuln.today
CVE Published
Jul 13, 2026 - 21:30 cve.org
HIGH 7.3

DescriptionCVE.org

Glarysoft Glary Utilities Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Glarysoft Glary Utilities. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

The specific flaw exists within the Disk Clean functionality. By creating a junction, an attacker can abuse the service to delete arbitrary files. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-27004.

AnalysisAI

Local privilege escalation in Glarysoft Glary Utilities lets an already-present low-privileged attacker abuse the Disk Clean feature to delete arbitrary files and ultimately execute code as SYSTEM. Discovered and reported through the Zero Day Initiative (ZDI-26-402, ZDI-CAN-27004), it stems from the privileged cleanup service following filesystem junctions (CWE-59) planted by the attacker. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain low-privileged code execution on host
Delivery
Plant NTFS junction in Disk Clean path
Exploit
Privileged service follows junction
Execution
Delete/redirect protected SYSTEM file
Persist
Chain file-delete into SYSTEM code execution
Impact
Full host compromise

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to already have the ability to execute low-privileged code on the target Windows system (a local, authenticated foothold - PR:L), and Glary Utilities must be installed with its privileged Disk Clean functionality present. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.0 base score is 7.3 (High) with vector AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H, meaning local access, low attacker privileges, and required user interaction, but full confidentiality/integrity/availability impact once triggered - consistent with escalation to SYSTEM. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has already gained a low-privileged foothold on a Windows host (for example via phishing malware or a limited user account) plants a crafted NTFS junction inside a directory that Glary Utilities' Disk Clean will process. When the privileged cleanup runs and follows the junction, it deletes a protected file the attacker chose, which is chained into overwriting or planting a component that executes as SYSTEM, yielding full system compromise. …
Remediation No vendor-released patch version is identified in the available data, so the primary action is to consult the Zero Day Initiative advisory at https://www.zerodayinitiative.com/advisories/ZDI-26-402/ and Glarysoft's own release notes to obtain and deploy the latest patched build of Glary Utilities as soon as it is confirmed, applying the exact fixed version once published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: identify all systems running Glarysoft Glary Utilities and prepare for immediate remediation. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-15684 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy