A vulnerability tracked as CVE-2025-29975 in Microsoft PC Manager hands local attackers a direct path to full SYSTEM control. With a CVSS 3.1 score of 7.8 (high) and a low attack complexity, the bug lets any authenticated user who can place a symlink or junction point escalate to Administrator or SYSTEM privileges. Microsoft patched the flaw in version 3.16.1.0, but the window between disclosure and enterprise-wide deployment leaves many endpoints exposed.

Security researchers at Trend Micro’s Zero Day Initiative (ZDI) and Microsoft’s own security team pinpointed improper link resolution as the root cause—a class of weakness that has plagued Windows utilities for over a decade. When PC Manager, a system maintenance tool designed to clean temp files and optimize performance, performs file operations with elevated rights, it fails to verify whether the file it’s about to delete, move, or replace is really what it appears to be. An attacker who plants a reparse point (a symlink or directory junction) in a location PC Manager will touch can redirect that privileged action to a protected system file, leading to code execution with the highest integrity level.

Why PC Manager is a prime target

Microsoft PC Manager is marketed as an all-in-one system tune-up tool—clearing caches, removing junk files, and “boosting” Windows performance. To do that, it must routinely touch files in user-writable directories like %TEMP%, AppData\Local, and AppData\Roaming. Many of its operations run under the MSPCManagerService or similar service accounts that possess administrative privileges. If any of those operations accept a carefully crafted NTFS reparse point, the service can be tricked into performing unintended actions on system files.

The 2025 disclosures include multiple related elevation-of-privilege (EoP) advisories—ZDI-25-294, ZDI-25-579, CVE-2025-47993, and CVE-2025-49738—all stemming from the same fundamental design flaw. The common thread is a lack of validation before following links, allowing an attacker with only local code execution rights to break out of their limited sandbox.

How the attack unfolds

The exploitation dance is deceptively simple:

  1. Reconnaissance – The attacker identifies which PC Manager workflow (scheduled cleanup, log rotation, resource loading) acts on a file or directory they can write to.
  2. Plant – Using the mklink command or API calls, they create a reparse point that points to a target like C:\Windows\System32\utilman.exe or a DLL loaded by a privileged service.
  3. Trigger – The attacker either waits for PC Manager’s scheduled task to fire or actively causes the operation, e.g., by clicking “Boost” in the PC Manager UI.
  4. Elevate – PC Manager follows the link and performs the file operation with SYSTEM rights. This could mean deleting a system binary, overwriting a DLL with a payload, or moving an attacker-controlled executable into a trusted directory. From there, code execution with full integrity is a single service restart or scheduled task away.

Because the attack requires local code execution to plant the reparse point, it is not a remote exploitation vector. However, in real-world intrusions, local EoP is the pivotal link that turns a limited foothold—from phishing, a Trojan downloader, or a compromised internal account—into total host compromise. Ransomware groups and nation-state actors routinely chain such flaws to disable defenses, persist, and move laterally.

Affected versions and the patch

Microsoft’s Security Update Guide lists all versions of PC Manager below 3.16.1.0 as vulnerable. The NVD entry for CVE-2025-29975 confirms the affected software as “Microsoft PC Manager” with versions “up to (excluding) 3.16.1.0”. The fix arrived in May 2025 Patch Tuesday, alongside 137 other vulnerabilities addressed that month, and was further documented in July 2025 security roundups.

If you’re using any edition of PC Manager—whether bundled with Windows, deployed through Microsoft Store, or installed via a third-party channel—check the version immediately. You can verify the installed version via PowerShell or your endpoint management platform.

Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* |
    Where-Object {$_.DisplayName -match 'PC Manager'}

Immediate actions for IT teams

1. Inventory and patch

Use SCCM, Intune, or a simple script to identify every endpoint running PC Manager. Deploy the updated package (version 3.16.1.0 or later) through your normal patch channels. Microsoft published the fix through Windows Update and the Microsoft Store; enterprise admins can push the update via WSUS or third-party patch management tools.

2. Mitigate if patching is delayed

  • Application control – Create AppLocker or Windows Defender Application Control (WDAC) policies to block execution of MSPCManagerService.exe and the PC Manager GUI executable until the patch is applied.
  • Restrict symlink creation – By default, only administrators hold SeCreateSymbolicLinkPrivilege, but junctions can still be created by low-privileged users. Use Group Policy to harden the local security policy and consider limiting interactive logins on critical servers.
  • Least privilege – Remove unnecessary local admin rights from user accounts. An attacker who already has admin credentials doesn’t need this EoP.

3. Hunt for signs of exploitation

Symlink abuse leaves subtle traces. You’ll need to correlate reparse point creation with subsequent privileged file operations. The following telemetry sources are essential:
- File system metadata – Scan for NTFS reparse points in C:\Users\*\AppData\Local\Temp and AppData\Roaming.
- Process creation logs (Sysmon Event ID 1) – Capture MSPCManagerService.exe launches and their parent processes.
- File creation/stream hash logs (Sysmon Event IDs 11, 15) – Watch for files created just before PC Manager accesses system paths.

A quick PowerShell hunt for reparse points:

$paths = "$env:USERPROFILE\AppData\Local\Temp","$env:USERPROFILE\AppData\Roaming"
Get-ChildItem -Path $paths -Recurse -Force -ErrorAction SilentlyContinue |
    Where-Object { $_.Attributes -band [System.IO.FileAttributes]::ReparsePoint } |
    Select FullName, LastWriteTime

Correlate the timestamps with PC Manager service activity. In a SIEM, craft a rule like: “reparse point created in Temp, followed within 5 minutes by MSPCManagerService.exe accessing C:\Windows or C:\Program Files.”

4. Post-patch validation

After deploying the fix, re-run your inventory script to confirm all endpoints are on 3.16.1.0 or later. For any endpoint where exploitation is suspected, collect volatile artifacts:
- Windows Event Logs (Security, System, Application)
- Prefetch files and USN journal
- Memory dump from the PC Manager service
- EDR alerts that correlate with the timeframe

Why detection is challenging

The core issue is that PC Manager’s legitimate file operations—deleting temp files, rotating logs—often look indistinguishable from malicious use. The only clear signal is the combination: a user-writable reparse point created, followed by a privileged file operation in a protected location. Most EDR platforms don’t natively link those two events without custom rules, which is why the hunt scripts and Sysmon configurations are so important.

A conceptual Sysmon rule snippet:

<RuleGroup groupRelation="and">
  <FileCreate onmatch="include">
    <Image condition="end with">MSPCManagerService.exe</Image>
    <TargetFilename condition="begin with">C:\Windows\System32\</TargetFilename>
  </FileCreate>
</RuleGroup>

This would fire on any file creation in System32 by the PC Manager service—a suspicious action that deserves investigation even without a known reparse point.

Long-term hardening

  • File integrity monitoring (FIM) – Place watchpoints on critical directories: C:\Windows\System32, C:\Windows\SysWOW64, C:\Program Files, and any DLL search order paths. Alert on delete, rename, or modification operations performed by the PC Manager service identity.
  • Endpoint behavior analytics – Use your EDR’s anomaly detection to spot the sequence of a low-privilege user creating a reparse point and then a SYSTEM process modifying a protected file.
  • Development policy – If you build internal tools that run with elevated rights, audit every file operation they perform. Ensure they call CreateFile with the FILE_FLAG_OPEN_REPARSE_POINT flag or use GetFinalPathNameByHandle to resolve the real target before acting.

The bigger picture

Local privilege escalation bugs in system utilities are not a theoretical threat. The 2025 PC Manager advisories landed in the same year that multiple Windows components—print spooler, task scheduler, and even Defender itself—received patches for similar link-following issues. For blue teams, the message is clear: maintenance and “optimization” tools that blur user and system boundaries must be treated as potential attack surfaces. Every PC Manager installation on a fleet is a possible pivot point unless it’s patched.

Security researcher commentary on the ZDI advisories emphasizes that “improper link resolution before file access” (CWE-59) remains frustratingly common. The fact that Microsoft’s own utility fell victim to it in 2025 shows that even seasoned developers can overlook the dangers of file system redirection.

Top takeaways for defenders

  • Patch now – CVE-2025-29975 and its sibling CVEs are fixed in PC Manager 3.16.1.0. Deploy the update across all endpoints.
  • Hunt for reparse points – Use the PowerShell hunts provided, and feed the results into your SIEM.
  • Layer detection – Sysmon, FIM, and behavioral rules are your best chance to catch in-progress exploitation.
  • Restrict execution – If you can’t patch, use AppLocker or WDAC to block PC Manager.
  • Educate teams – Ensure helpdesk and desktop staff recognize that “tune-up” software is part of the threat landscape.

For organizations that need a ready-to-drop SOC playbook, the PowerShell and Sysmon examples above form a solid starting point. The next step is to adapt them to your specific logging infrastructure—whether Splunk, Microsoft Sentinel, or ELK—and tune out noise from legitimate operations.

Microsoft’s MSRC advisory for CVE-2025-29975, the NVD entry, and the ZDI writeups provide the official technical details. Community analyses have already begun mapping the exploitation chain and detection logic, making this one of the better-documented link-following EoPs of the year. Now it’s up to defenders to act before adversaries do.