Plattform
windows
Komponente
cloudflare-warp
Behoben in
2024.12.492.0
CVE-2025-0651 describes an Improper Privilege Management vulnerability within Cloudflare WARP on Windows. This flaw allows a low-privilege user to manipulate files by creating symbolic links within the C:\ProgramData\Cloudflare\warp-diag-partials directory. Triggering the 'Reset all settings' option can then lead to the deletion of system-owned files due to the WARP service operating with System privileges. This vulnerability impacts versions of WARP prior to 2024.12.492.0 and has been addressed in the updated release.
The core impact of CVE-2025-0651 lies in the potential for unauthorized file deletion. An attacker, even with limited system privileges, can craft a sequence of actions to exploit this vulnerability. First, they create symbolic links within the designated WARP diagnostic directory. Subsequently, by initiating the 'Reset all settings' process, the WARP service, running with elevated System privileges, will attempt to delete files pointed to by these malicious symlinks. This could result in the accidental deletion of critical system files, leading to instability, data loss, or even a complete system failure. The blast radius is significant, as the deletion of core system files can have widespread consequences.
CVE-2025-0651 was publicly disclosed on January 22, 2025. There is no indication of this vulnerability being actively exploited in the wild at this time. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet available, but the relatively straightforward nature of the exploitation path suggests that PoCs may emerge. The EPSS score is pending evaluation.
Organizations and individuals using Cloudflare WARP on Windows are at risk. This includes users who have not yet updated to the latest version and those with legacy configurations that might be more susceptible to exploitation. Shared hosting environments where multiple users have access to the system are also at increased risk.
• windows / supply-chain:
Get-ScheduledTask | Where-Object {$_.TaskName -like '*WARP*'} | Select-Object TaskName, State• windows / supply-chain:
Get-Process | Where-Object {$_.ProcessName -like '*warp*'} | Select-Object ProcessName, Id• windows / supply-chain:
Check the registry for unusual entries under HKEYCURRENTUSER\Software\Cloudflare\WARP or HKEYLOCALMACHINE\Software\Cloudflare\WARP that might indicate malicious configuration.
• windows / supply-chain:
Use Windows Defender to search for suspicious processes or files related to WARP, particularly those creating symbolic links in the C:\ProgramData\Cloudflare\warp-diag-partials directory.
disclosure
Exploit-Status
EPSS
0.16% (37% Perzentil)
CISA SSVC
The primary mitigation for CVE-2025-0651 is to immediately upgrade Cloudflare WARP to version 2024.12.492.0 or later. While a direct workaround is not available, restricting access to the C:\ProgramData\Cloudflare\warp-diag-partials directory could offer a temporary layer of defense, though this is not a substitute for patching. Monitor system logs for unusual file deletion activity, particularly within the WARP diagnostic directory. Consider implementing stricter access controls on the C:\ProgramData directory to limit the ability of low-privilege users to create symbolic links. After upgrading, confirm the fix by attempting to create and delete files via symlinks within the WARP diagnostic directory to ensure the intended behavior is restored.
Actualice Cloudflare WARP a una versión posterior a 2024.12.492.0. Esto solucionará la vulnerabilidad de manipulación de archivos causada por el abuso de enlaces simbólicos. La actualización se puede realizar a través del mecanismo de actualización automática del software o descargando la última versión del sitio web de Cloudflare.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-0651 is a File Manipulation vulnerability in Cloudflare WARP for Windows that allows low-privilege users to potentially delete system files by exploiting improper privilege management.
You are affected if you are using Cloudflare WARP on Windows versions prior to 2024.12.492.0.
Upgrade Cloudflare WARP to version 2024.12.492.0 or later to resolve this vulnerability.
As of now, there are no known public exploits or active campaigns targeting CVE-2025-0651.
Refer to the official Cloudflare security advisory for detailed information and updates regarding CVE-2025-0651.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.