CVE-2025-0651

HighLPE

Published: 22 January 2025

Published

22 January 2025

Modified

31 July 2025

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

EPSS Score 0.0022 44.1th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0651 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Cloudflare Warp. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data Destruction (T1485); ranked at the 44.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Data Destruction (T1485). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-6 Least Privilege good match

prevent

Addresses the core improper privilege management (CWE-269) by requiring the WARP service to operate with least privileges, preventing deletion of arbitrary System-owned files via low-privileged symlink creation.

SI-10 Information Input Validation good match

prevent

Requires validation of file paths and types in the warp-diag-partials folder during reset operations to block processing of malicious symlinks pointing to protected files.

SI-2 Flaw Remediation good match

prevent

Mandates timely flaw remediation by updating Cloudflare WARP to version 2024.12.492.0 or later, which fixes the symlink handling vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1485 Data Destruction Impact

Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.

attack.mitre.org →

Why these techniques?

Vulnerability enables low-privileged local attacker to trigger arbitrary file deletion (including System-owned files) via symlink abuse during privileged service operation, directly facilitating data destruction.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper Privilege Management vulnerability in Cloudflare WARP on Windows allows File Manipulation. User with a low system privileges can create a set of symlinks inside the C:\ProgramData\Cloudflare\warp-diag-partials folder. After triggering the 'Reset all settings" option the WARP service will delete…

the files that the symlink was pointing to. Given the WARP service operates with System privileges this might lead to deleting files owned by the System user. This issue affects WARP: before 2024.12.492.0.

Deeper analysisAI

CVE-2025-0651 is an Improper Privilege Management vulnerability (CWE-269) in Cloudflare WARP on Windows that enables file manipulation. It affects WARP versions prior to 2024.12.492.0. The issue stems from inadequate handling of symbolic links in the C:\ProgramData\Cloudflare\warp-diag-partials folder during the "Reset all settings" operation.

A local attacker with low system privileges can exploit this by creating symbolic links within the specified folder that point to arbitrary files, including those owned by the System user. Upon triggering the "Reset all settings" option, the WARP service—running with System privileges—deletes the files referenced by the symlinks. This results in unauthorized file deletion, with a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H), indicating high impact on integrity and availability.

Cloudflare's WARP client documentation at https://developers.cloudflare.com/warp-client/ provides relevant details on the software. Mitigation requires updating to WARP version 2024.12.492.0 or later to address the vulnerability.