CVE-2025-7073 Bitdefender CVE debrief

Who should care

Organizations and individuals using affected Bitdefender products on Windows endpoints, particularly those with multi-user environments where low-privileged users have local access. Security teams responsible for endpoint protection deployments should prioritize patching due to the potential for complete system compromise.

Technical summary

The vulnerability exists in bdservicehost.exe, a Bitdefender service component that handles feedback data in the C:ProgramDataAtcFeedback directory. The service performs file deletion operations without properly validating symbolic links, allowing an attacker with low privileges to redirect file operations to arbitrary locations. This arbitrary file deletion capability serves as the initial primitive in a multi-stage attack chain. The attacker can leverage this primitive in conjunction with file copy operations that occur during network events, combined with a filter driver bypass achieved through DLL injection. The complete chain enables arbitrary file copy with elevated privileges and ultimately code execution as an elevated user. The vulnerability is particularly significant because it bypasses Bitdefender's own protective mechanisms, including its filter driver, demonstrating a compromise of the security product's defensive capabilities. The attack requires local access and is rated as high complexity, but successful exploitation grants complete control over the affected system with high impact on confidentiality, integrity, and availability.

Defensive priority

HIGH

Recommended defensive actions

• Apply the latest security updates from Bitdefender for affected products: Total Security and Internet Security versions prior to 27.0.47.241, Antivirus Plus versions prior to 27.0.47.241, Antivirus Free versions prior to
• Monitor for suspicious activity in the C:ProgramDataAtcFeedback directory and related bdservicehost.exe operations
• Review endpoint security logs for indicators of DLL injection attempts targeting Bitdefender filter drivers
• Ensure least privilege principles are enforced for user accounts to reduce the attack surface for local privilege escalation
• Consider implementing application control policies to restrict unauthorized DLL loading in Bitdefender processes

Evidence notes

The vulnerability description and affected product versions are derived from the official Bitdefender security advisory and NVD CPE criteria. The CVSS 4.0 vector indicates a local attack vector with high complexity, requiring low privileges but no user interaction, with high impact across confidentiality, integrity, and availability. The weakness is classified as CWE-59 (Improper Link Resolution Before File Access).

Official resources