Realtek Bluetooth Driver Flaw Allows Attackers to Delete Any File on Windows Systems

A high-severity security vulnerability has been identified in the Realtek Bluetooth Host Controller Interface (HCI) Adaptor, raising significant concerns for device manufacturers and end-users.

The flaw, tracked as CVE-2024-11857, was disclosed on June 2, 2025, and published in both the National Vulnerability Database (NVD) and the GitHub Advisory Database within hours of its discovery.

This vulnerability centers on a “Link Following” issue that allows local attackers with standard user privileges to exploit the Bluetooth stack for privilege escalation.

The technical core of the vulnerability lies in the improper handling of symbolic links (symlinks) by the Realtek Bluetooth HCI Adaptor.

Local attackers can create a symlink with the same name as a specific file that the adaptor is programmed to delete.

When the adaptor executes the deletion, it follows the symlink and removes the file pointed to by the attacker, enabling arbitrary file deletion.

This can be leveraged by attackers to escalate their privileges on the system, potentially compromising device security.

Technical Details and Exploitation Path

According to the report, the vulnerability exploits a classic file system weakness known as a symlink or “Link Following” attack.

In this scenario, an attacker with regular user privileges creates a symlink that redirects file operations intended for a benign file to a critical system file.

When the Realtek Bluetooth HCI Adaptor attempts to delete the original file, it instead deletes the file targeted by the symlink, which could be a system configuration or security file.

This arbitrary file deletion can be chained with other vulnerabilities or misconfigurations to achieve privilege escalation.

The vulnerability affects all versions of the Realtek Bluetooth HCI Adaptor below version 1.1.73.1, according to vulnerability databases.

As of this publication, no patched versions have been released, and the full list of affected package versions remains unknown.

The vulnerability is classified as high severity, with a CVSS v3.0 base score of 7.8 and a CVSS v4.0 base score of 8.5, reflecting its potential impact on confidentiality, integrity, and availability.

Example of a Symlink Attack:

bash# Attacker creates a symlink named 'target_file' pointing to '/etc/shadow'
ln -s /etc/shadow /tmp/target_file

# If the Bluetooth HCI Adaptor deletes '/tmp/target_file', it will delete '/etc/shadow'

Risk Assessment and Mitigation Strategies

The Link Following vulnerability in the Realtek Bluetooth HCI Adaptor is particularly dangerous because it allows attackers with only local, non-administrative privileges to escalate their access.

This type of vulnerability is often exploited in post-exploitation scenarios, where an attacker has already gained a foothold on a system and seeks to gain further control.

Vulnerability Metrics Table

Recommended Actions:

• Monitor for updates from Realtek and apply patches as soon as they become available.
• Restrict local user privileges and monitor for suspicious symlink creation.
• Employ file integrity monitoring to detect unauthorized file deletions.
• Consider isolating Bluetooth stack operations in sandboxed environments to limit the impact of potential exploitation.

The discovery of CVE-2024-11857 highlights ongoing challenges in Bluetooth stack security and the importance of robust file handling practices in driver and adaptor software.

Until a patch is released, organizations using Realtek Bluetooth HCI Adaptors should remain vigilant and implement layered security controls to mitigate the risk of exploitation.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!