Glary Utilities
CVE-2026-15684
HIGH
Severity by source
AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Local low-priv attacker with required user interaction abuses a junction for arbitrary delete escalating to SYSTEM (I:H/A:H); no direct data disclosure so C:N, though vendor rates C:H via code-exec chaining.
Primary rating from Vendor (zdi).
CVSS VectorVendor: zdi
CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Glarysoft Glary Utilities Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Glarysoft Glary Utilities. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the Disk Clean functionality. By creating a junction, an attacker can abuse the service to delete arbitrary files. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-27004.
AnalysisAI
Local privilege escalation in Glarysoft Glary Utilities lets an already-present low-privileged attacker abuse the Disk Clean feature to delete arbitrary files and ultimately execute code as SYSTEM. Discovered and reported through the Zero Day Initiative (ZDI-26-402, ZDI-CAN-27004), it stems from the privileged cleanup service following filesystem junctions (CWE-59) planted by the attacker. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to already have the ability to execute low-privileged code on the target Windows system (a local, authenticated foothold - PR:L), and Glary Utilities must be installed with its privileged Disk Clean functionality present. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.0 base score is 7.3 (High) with vector AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H, meaning local access, low attacker privileges, and required user interaction, but full confidentiality/integrity/availability impact once triggered - consistent with escalation to SYSTEM. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has already gained a low-privileged foothold on a Windows host (for example via phishing malware or a limited user account) plants a crafted NTFS junction inside a directory that Glary Utilities' Disk Clean will process. When the privileged cleanup runs and follows the junction, it deletes a protected file the attacker chose, which is chained into overwriting or planting a component that executes as SYSTEM, yielding full system compromise. … |
| Remediation | No vendor-released patch version is identified in the available data, so the primary action is to consult the Zero Day Initiative advisory at https://www.zerodayinitiative.com/advisories/ZDI-26-402/ and Glarysoft's own release notes to obtain and deploy the latest patched build of Glary Utilities as soon as it is confirmed, applying the exact fixed version once published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: identify all systems running Glarysoft Glary Utilities and prepare for immediate remediation. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Glary Utilities
View allSame weakness CWE-59 – Improper Link Resolution Before File Access
View allShare
External POC / Exploit Code
Leaving vuln.today