Trend Micro's Zero Day Initiative published advisory ZDI-26-402 on July 8, 2026, exposing a local privilege escalation vulnerability in Glarysoft Glary Utilities that remained unpatched for nearly 13 months. The initial vendor report dates to May 29, 2025. The attack exploits link following via an NTFS junction in the Disk Clean feature, allowing code already running with limited privileges to delete arbitrary files and chain that action to execute code as SYSTEM.
- Vulnerability ZDI-26-402 enables escalation from low privileges to SYSTEM in Glarysoft Glary Utilities, a mainstream Windows maintenance utility.
- The exploit runs through the Disk Clean feature: an NTFS junction directs the elevated service toward files the attacker intends to delete.
- Coordinated disclosure occurred on July 8, 2026, after an initial report on May 29, 2025, and at least two follow-ups without vendor acknowledgment of receipt.
- No patch is documented as available at the time of the advisory's publication, according to the cited text.
The Technical Mechanism: When Disk Clean Becomes a Weapon
The flaw resides specifically in Glary Utilities' Disk Clean feature, a component designed to free space by deleting temporary and residual system files. The service operates with elevated privileges, a standard condition for maintenance software that must act on protected directories.
The attack begins with the creation of an NTFS junction — a reparse point that acts as a directory link — placed in a location Disk Clean is configured to clean. When the service processes the request, it follows the junction without verifying the actual destination. The result, per the advisory, is the deletion of arbitrary files chosen by the attacker, including files that would normally require SYSTEM privileges to modify.
Full escalation is achieved by chaining this controlled deletion capability. Deleting strategic system files — including critical binaries, shared libraries, or boot components — allows replacing them with malicious payloads that the system will subsequently load with elevated privileges. The ZDI advisory explicitly describes this path: "An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM."
"The specific flaw exists within the Disk Clean functionality. By creating a junction, an attacker can abuse the service to delete arbitrary files."
Why the 0-Day Hits a Vast Attack Surface
Glary Utilities is distributed as a consumer and small-office maintenance tool, with installations numbering in the millions on Windows workstations. Its massive distribution combines with an underestimated risk profile: system utility software is often installed with elevated permissions, updated infrequently, and treated as a second-tier priority in corporate patch management programs.
The attack vector is strictly local, but that does not limit its severity. Malware already present on a workstation with standard user privileges — a common scenario after initial infections via phishing or compromised downloads — can exploit ZDI-26-402 to gain SYSTEM-level persistence. From there, compromise extends to disabling endpoint controls, lateral movement, and access to in-memory credentials.
The prerequisite for local execution, as specified in the advisory, is "low-privileged code on the target system." This excludes direct remote attacks but includes precisely the post-compromise phase that makes an initial infection sustainable and difficult to eradicate.
Thirteen Months of Coordinated Disclosure
The ZDI-documented timeline shows a reporting cycle without resolution. The report was submitted to Glarysoft on May 29, 2025. On June 25, 2025, ZDI followed up for acknowledgment of receipt, with no evidence of response. On December 4, 2025, ZDI notified its intent to publish the advisory as a 0-day. Coordinated release occurred on July 8, 2026.
This timeframe — nearly 13 months between report and forced disclosure — exceeds ZDI's standard 120-day window and indicates the disclosure program exhausted possible extensions without obtaining a verifiable fix. The absence of explicit vendor receipt confirmation, noted as a limitation in the dossier, adds uncertainty about Glarysoft's actual awareness of the issue.
It is not stated whether the 0-day publication finally prompted a vendor reaction. The dossier does not specify patches released after July 8, 2026.
Why It Matters
The source does not specify affected Glary Utilities versions, making it impossible to determine whether dated installations or recent ones up to the latest release are vulnerable. The cited advisory does not list an assigned CVE ID or CVSS score, limiting integration into automated patch prioritization systems.
The dossier does not document in-the-wild exploits or active attack campaigns leveraging ZDI-26-402. No specific operational recommendation emerges from the source beyond restricting interaction with the product, cited in the advisory as the sole mitigation strategy given the nature of the vulnerability.
It remains to be verified whether Glarysoft actually received the initial report and through which channels; the ZDI timeline reports only the submission and follow-up, not confirmation. The identity of operators who might exploit this flaw, and their potential early knowledge of the technique, are not documented.
The concrete impact for users and administrators depends on the presence of Glary Utilities in their environments, the ability to detect unmanaged installations, and the availability of alternatives for the Disk Clean functionality that do not expose the same privilege profile.
Information is based on the cited advisory and current as of publication.
Information is based on the cited source and current as of publication.
Sources
- http://www.zerodayinitiative.com/advisories/ZDI-26-402/
- http://www.zerodayinitiative.com/advisories/published/