On February 11, 2025, Microsoft disclosed CVE-2025-21391, an elevation of privilege (EoP) vulnerability affecting Windows Storage.

This vulnerability allows local, authenticated attackers to delete arbitrary files on a system, potentially disrupting services and compromising system integrity. Microsoft has confirmed that this flaw has been actively exploited in the wild, making immediate patching essential for organizations and individual users alike.

• CVE ID: CVE-2025-21391

• CVSS Score: 7.1 (High)

• Severity: Elevation of Privilege

• Exploited in the Wild: Yes

• Impact: Unauthorized file deletion leading to system instability or potential privilege escalation

Background

CVE-2025-21391 arises from improper link resolution before file access, classified under CWE-59. Specifically, the Windows Storage component fails to correctly handle symbolic links, allowing an attacker to manipulate file operations and delete files without proper authorization. If exploited, an attacker could delete critical system files or application dependencies, potentially causing a denial-of-service (DoS) condition or triggering system instability.

While the vulnerability does not grant initial remote code execution (RCE) or privilege escalation on its own, it can be combined with other flaws to gain further access. Attackers often use such vulnerabilities in multi-step attacks to weaken system defenses before executing more severe exploits. Given that Windows Storage is widely used in enterprise environments, unpatched systems could face significant operational risks.

Affected Products

This vulnerability affects multiple versions of Windows, including both desktop and server editions. Systems running older versions of Windows without the latest patches are particularly at risk. The following versions are impacted:

• Windows 10 (versions 1507, 1607, 1809, 21H2, 22H2)

• Windows 11 (versions 22H2, 23H2, 24H2)

• Windows Server 2016, 2019, 2022, 2025

Administrators managing enterprise environments should prioritize patching these versions to prevent potential service disruptions. Additionally, organizations using Windows Storage in high-availability environments should review their security posture.

Indicators of Compromise (IoCs)

Organizations should monitor for unusual system behavior and look for the following indicators of compromise:

• Unexpected deletion of system or application files, particularly in protected directories.

• Service failures or disruptions due to missing critical files, logs, or configuration data.

• Unusual file system activity, especially involving symbolic links or filesystem junctions.

• Anomalous event logs related to file deletions by unauthorized or non-administrative users.

Security teams should implement enhanced logging and monitoring to detect suspicious file operations. Investigating deletions that occur without legitimate user interaction can help uncover potential exploitation attempts.

Attack Vector

An attacker with local access and valid credentials can exploit this vulnerability by crafting malicious symbolic links that target critical system files. By executing specific file operations, the attacker can trick Windows Storage into deleting files without the necessary permissions. This could result in essential system files being removed, leading to application failures or operating system crashes.

What makes this vulnerability particularly concerning is its potential to be used in chained attacks. If an attacker gains an initial foothold on a machine through phishing or malware, they can use this flaw to delete security logs, disable security software, or remove files critical to forensic investigations. As a result, attackers could cover their tracks while preparing further exploitation.

Active Exploitation

Microsoft has confirmed that CVE-2025-21391 has been exploited in the wild, making it a high-priority issue. While specific attack campaigns have not been fully disclosed, initial reports suggest that the vulnerability has been used in targeted attacks against enterprise systems. Security researchers have observed exploitation attempts involving malware designed to delete key security logs, making detection and incident response more difficult.

Some attacks leveraging this vulnerability have been linked to advanced persistent threats (APTs). These groups typically exploit elevation-of-privilege vulnerabilities to facilitate further system compromise. The presence of active exploitation means that unpatched systems are at immediate risk, emphasizing the need for swift action.

Mitigation and Remediation

To protect against CVE-2025-21391, administrators should apply Microsoft's latest security updates as soon as possible. The patch addresses the improper handling of symbolic links and prevents unauthorized file deletions. Users can find the relevant updates in Microsoft's Security Update Guide.

Additionally, organizations should consider implementing the following security measures:

1. Restrict Local User Permissions: Limit the ability of non-administrative users to create or manipulate symbolic links.

2. Enable File System Auditing: Configure Windows to log and alert on unauthorized file deletions.

3. Monitor Endpoint Behavior: Use endpoint detection and response (EDR) solutions to track anomalous file activity.

4. Regular Backups: Maintain up-to-date backups to recover from unexpected file deletions.

Conclusion

CVE-2025-21391 is a serious security flaw that can disrupt system operations and aid attackers in covering their tracks. The fact that this vulnerability has been actively exploited highlights the urgency of applying available patches. Organizations should take immediate steps to secure affected systems and monitor for any signs of compromise. By implementing proactive security measures, businesses can minimize the risks associated with this elevation-of-privilege vulnerability.

Silent Breach provides specialized services to help organizations identify and address vulnerabilities like CVE-2025-21391. Our penetration testing teams simulate sophisticated attacks to identify weaknesses, while our SOC monitoring solutions enable continuous threat detection and rapid incident response. For organizations navigating compliance requirements, our expertise ensures alignment with standards such as ISO 27001 and SOC 2.

For more information on how your organization may be impacted by CVE-2025-21391 or for additional guidance, please contact Silent Breach at contact@silentbreach.com.

About Silent Breach: Silent Breach is an award-winning provider of cyber security services. Our global team provides cutting-edge insights and expertise across the Data Center, Enterprise, SME, Retail, Government, Finance, Education, Automotive, Hospitality, Healthcare and IoT industries.