Windows Disk Cleanup Tool Exploit Allows SYSTEM Privilege Escalation

Microsoft has urgently addressed a high-severity privilege escalation vulnerability (CVE-2025-21420) in the Windows Disk Cleanup Utility (cleanmgr.exe) during its February 2025 Patch Tuesday updates.

The flaw, scoring 7.8 on the CVSS scale, enabled attackers to execute malicious code with SYSTEM privileges through DLL sideloading techniques.

Technical Mechanism of the Exploit

The vulnerability leverages cleanmgr.exe’s privileged execution context to load unsigned DLLs.

Attackers could plant malicious libraries like dokannp1.dll in system directories through path interception or file replacement strategies. Security researchers demonstrated this via:

cp .\dokan1.dll C:\Users\<username>\System32\System32\System32\dokannp1.dll
cleanmgr /sageset:2

This code snippet bypasses signature validation checks by exploiting directory traversal vulnerabilities in the Disk Cleanup scheduler.

Successful exploitation required either manual triggering of the utility or automated execution through disk space thresholds, as reported by Cyber Security News.

The February 2025 update resolved 67 vulnerabilities across Windows components, including four zero-day flaws. Critical patches addressed:

• CVE-2025-21418: Privilege escalation in Windows Ancillary Function Driver
• CVE-2025-21391: Elevation of Privilege in Storage Spaces Direct
• CVE-2025-21194: Security bypass in Microsoft Surface firmware
• CVE-2025-21377: NTLM hash disclosure vulnerability

Microsoft’s advisory emphasized immediate installation due to the active exploitation of CVE-2025-21418 and CVE-2025-21377.

Mitigation and Best Practices

Organizations should:

1. Deploy the February 2025 patches via Windows Update or WSUS
2. Audit system directories for unauthorized DLLs
3. Implement an application that allows listing for system utilities

The full technical breakdown and mitigation guidance remains available through Microsoft Security Advisory ADV25002.

Security teams should prioritize auditing scheduled tasks and service configurations to prevent the recurrence of similar privilege escalation vectors.

Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting - Register Here