Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local low-priv attacker (AV:L/PR:L) must win a symlink TOCTOU race (AC:H) and needs the shred operation triggered (UI:R), yielding full local C/I/A impact without scope change.
Primary rating from Vendor (Bitdefender).
CVSS VectorVendor: Bitdefender
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
An Improper link resolution before file access ('link following') vulnerability in the File Shredder module as used in Bitdefender Total Security and Internet Security on Windows allows a less-privileged local user to elevate rights by leveraging a race conditions via Symbolic Links.
This issue affects Total Security: before 27.0.58.315; Internet Security: before 27.0.58.315.
AnalysisAI
Local privilege escalation in Bitdefender Total Security and Internet Security for Windows (versions before 27.0.58.315) lets a less-privileged local user gain higher rights by abusing a symbolic-link race condition in the File Shredder module. Because the shredder operates with elevated privileges and does not safely resolve links before acting on files, an attacker who wins a time-of-check/time-of-use race can redirect a privileged file operation to a target of their choosing. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local access to the Windows host as a less-privileged user (PR:L) and requires the privileged File Shredder module to act on an attacker-influenced path, with user interaction (UI:P) to trigger the shred operation. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H, base 7.0 High) is internally consistent with a local, low-privilege attacker who needs to win a race and requires user interaction to trigger the privileged shred operation, but achieves high impact to confidentiality, integrity and availability of the local system. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A low-privileged user on a shared Windows workstation stages a directory and prepares to swap a benign file for a symbolic link pointing at a protected system file. When the privileged File Shredder operation runs against that path, the attacker wins the race and redirects the elevated delete/overwrite to their chosen target, corrupting or removing a protected resource to escalate privileges. … |
| Remediation | Vendor-released patch: update Bitdefender Total Security and Internet Security to version 27.0.58.315 or later; these products auto-update by default, so verify the installed engine/product version and force an update check on managed endpoints. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: conduct a complete inventory of all Windows endpoints running Bitdefender versions before 27.0.58.315, documenting specific versions and identifying systems handling sensitive data. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Total Security
View allStack-based buffer overflow in Quick Heal Internet Security 10.1.0.316 and earlier, Total Security 10.1.0.316 and earlie
The webssx.sys driver in QuickHeal 16.00 allows remote attackers to cause a denial of service. Rated high severity (CVSS
The GDASPAMLib.AntiSpam ActiveX control ASK\GDASpam.dll in G DATA Total Security 25.4.0.3 has a buffer overflow via a lo
A vulnerability exists in Quick Heal Total Security 23.0.0 in the quarantine management component where insufficient val
gdwfpcd.sys in G Data Total Security before 2019-02-22 allows an attacker to bypass ACLs because Interpreted Device Char
K7Sentry.sys in K7 Computing Ultimate Security, Anti-Virus Plus, and Total Security before 14.2.0.253 allows local users
Quick Heal Total Security before 19.0 allows attackers with local admin rights to obtain access to files in the File Vau
Kaspersky Secure Connection, Kaspersky Internet Security, Kaspersky Total Security, Kaspersky Security Cloud prior to ve
Quick Heal Internet Security 10.1.0.316, Quick Heal Total Security 10.1.0.316, and Quick Heal AntiVirus Pro 10.1.0.316 a
Quick Heal Internet Security 10.1.0.316, Quick Heal Total Security 10.1.0.316, and Quick Heal AntiVirus Pro 10.1.0.316 a
Quick Heal Internet Security 10.1.0.316, Quick Heal Total Security 10.1.0.316, and Quick Heal AntiVirus Pro 10.1.0.316 a
Quick Heal Total Security before version 19.0 transmits quarantine and sysinfo files via clear text. Rated medium severi
Same weakness CWE-59 – Improper Link Resolution Before File Access
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43632
GHSA-f943-xhh7-7c5g