Platform
windows
Component
cloudflare-warp
Fixed in
2024.12.492.0
CVE-2025-0651 describes an Improper Privilege Management vulnerability within Cloudflare WARP for Windows. This flaw allows a low-privilege user to manipulate files by creating symbolic links within the C:\ProgramData\Cloudflare\warp-diag-partials directory and leveraging the 'Reset all settings' option. The WARP service, operating with System privileges, could inadvertently delete critical system files, leading to instability or denial of service. This vulnerability impacts versions of WARP prior to 2024.12.492.0, and a fix is available.
The core impact of CVE-2025-0651 lies in the potential for unauthorized file deletion by a low-privilege user. By crafting a series of symbolic links and triggering the 'Reset all settings' function, an attacker can trick the WARP service into deleting files it owns with System privileges. This could lead to a range of consequences, including system instability, application failures, and even denial of service. While the vulnerability requires local access and interaction with the WARP client, the System privileges escalation makes it a significant concern. The blast radius is limited to the files accessible through the targeted directory, but the potential for critical system files to be affected warrants immediate attention.
CVE-2025-0651 was publicly disclosed on January 22, 2025. Currently, there are no known public exploits or active campaigns targeting this vulnerability. Its inclusion in the KEV catalog is pending. The vulnerability’s reliance on local interaction and specific user actions suggests a lower probability of widespread exploitation compared to remote code execution vulnerabilities, but the potential for system disruption necessitates prompt remediation.
Exploit Status
EPSS
0.16% (37% percentile)
CISA SSVC
The primary mitigation for CVE-2025-0651 is to immediately upgrade Cloudflare WARP to version 2024.12.492.0 or later. This patched version addresses the improper privilege management issue and prevents the symbolic link manipulation. As a temporary workaround, restricting access to the C:\ProgramData\Cloudflare\warp-diag-partials directory could limit the attacker's ability to create malicious symlinks. However, this is not a complete solution and should only be considered until the upgrade can be implemented. After upgrading, verify the fix by attempting to create a symlink within the directory and triggering the 'Reset all settings' option; the WARP service should no longer delete system files.
Actualice Cloudflare WARP a una versión posterior a 2024.12.492.0. Esto solucionará la vulnerabilidad de manipulación de archivos causada por el abuso de enlaces simbólicos. La actualización se puede realizar a través del mecanismo de actualización automática del software o descargando la última versión del sitio web de Cloudflare.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-0651 is a File Manipulation vulnerability in Cloudflare WARP for Windows that allows low-privilege users to potentially delete system files by exploiting improper privilege management.
You are affected if you are using Cloudflare WARP on Windows versions prior to 2024.12.492.0.
Upgrade Cloudflare WARP to version 2024.12.492.0 or later to resolve this vulnerability.
As of now, there are no known public exploits or active campaigns targeting CVE-2025-0651.
Refer to the official Cloudflare security advisory for detailed information and updates regarding CVE-2025-0651.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.