CVE-2025-21391

What is Windows Storage Link Following?

Windows Storage management components handle disk, volume, and filesystem operations with elevated privileges. "Link following" vulnerabilities (CWE-59) occur when a privileged process follows symbolic links (symlinks) or directory junctions created by an attacker in a location the privileged process is expected to operate on — allowing the attacker to redirect the privileged operation to an arbitrary target.

Symlink attacks are a classic Windows privilege escalation technique: an attacker creates a symlink at a path a privileged process will operate on (e.g., delete, write), causing the privileged process to perform that operation on the attacker's chosen target rather than the intended path.

Overview

CVE-2025-21391 is a link following vulnerability (CWE-59) in Windows Storage management that allows a locally authenticated low-privilege attacker to delete arbitrary files on the filesystem — including files that require elevated privileges to delete. The integrity and availability impact (I:H, A:H) reflect that arbitrary file deletion can disrupt or disable system services, security software, or critical system files. Disclosed as a zero-day in the February 2025 Patch Tuesday alongside AFD heap overflow CVE-2025-21418.

Affected Versions

Technical Details

The link following vulnerability (CWE-59) in Windows Storage allows a low-privilege attacker to place a symbolic link or directory junction at a path that a privileged Windows Storage operation will use. When the privileged operation (delete, move, or modify) follows the link, it performs the operation on the attacker-specified target rather than the intended path — deleting files the attacker could not directly delete with their own privileges.

Common exploitation patterns:

• Delete security software executables or signature files → disable endpoint protection
• Delete critical system files to cause service failures or trigger system repair modes that can be exploited
• Delete lock files or database files to corrupt application state
• Chain with other vulnerabilities: delete a privileged DLL and replace it (via a writable path) with a malicious one → DLL hijacking privilege escalation

The confidentiality impact is None (C:N) — the vulnerability enables deletion but not direct reading of files.

Discovery

Microsoft Threat Intelligence identified active exploitation before February 2025 Patch Tuesday.

Exploitation Context

Confirmed zero-day exploitation before February 11, 2025. File deletion primitives are frequently used as a stepping stone in privilege escalation chains: an attacker with low privileges first uses the deletion primitive to remove a privileged binary or configuration file, then exploits the resulting system state (missing DLL, missing lock file, repair mode) to gain elevated access.

Remediation

1. Apply the February 2025 cumulative update for your Windows version. The CISA deadline was March 4, 2025.
2. Enable Tamper Protection in Microsoft Defender — this protects security software files from unauthorized deletion even if a symlink attack succeeds.
3. Implement filesystem auditing (Windows Security Event ID 4663) on critical system directories to detect unexpected deletion attempts.
4. Apply the companion AFD patch (CVE-2025-21418) from the same cumulative update — the two vulnerabilities were exploited in the same zero-day period.