CVE-2000-0121 in Windows
Summary
by MITRE
The Recycle Bin utility in Windows NT and Windows 2000 allows local users to read or modify files by creating a subdirectory with the victim's SID in the recycler directory, aka the "Recycle Bin Creation" vulnerability.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/20/2026
The CVE-2000-0121 vulnerability represents a significant access control flaw in the Windows NT and Windows 2000 operating systems that specifically targets the Recycle Bin utility functionality. This vulnerability stems from improper handling of file permissions and directory structures within the Windows file system, creating an exploitable condition that allows local attackers to bypass normal security controls. The flaw exists in how the operating system manages the recycler directory structure and user access permissions, particularly when dealing with Security Identifiers that are unique to each user account.
The technical implementation of this vulnerability relies on the predictable naming conventions used by Windows for Recycle Bin directories. When a user deletes a file, Windows creates a subdirectory within the recycler folder structure using the victim's Security Identifier as part of the directory name. An attacker with local access can exploit this by creating a subdirectory with a victim's SID in the recycler directory, effectively gaining unauthorized access to that user's deleted files. This mechanism operates under the principle that the system does not properly validate the ownership or permissions of directories created within the recycler structure, allowing arbitrary users to access files they should not be able to read or modify.
The operational impact of this vulnerability extends beyond simple information disclosure to encompass potential data modification capabilities that could lead to system compromise. Local users who exploit this vulnerability can read sensitive files that were previously deleted by other users, potentially accessing confidential information, personal data, or system configuration details. The ability to modify files through this vector represents a serious threat to data integrity and confidentiality, as attackers can alter or replace files in the recycler directory, potentially corrupting the victim's data or creating backdoors. This vulnerability directly violates the principle of least privilege and undermines the fundamental security model of Windows operating systems.
Mitigation strategies for this vulnerability require both immediate system-level fixes and long-term architectural improvements to the file system access control mechanisms. Microsoft addressed this issue through security updates that modified how Recycle Bin directories are created and managed, ensuring proper permission controls are enforced. Organizations should implement comprehensive patch management procedures to ensure all systems receive the appropriate security updates. The vulnerability aligns with CWE-276, which describes improper file permissions, and can be mapped to ATT&CK technique T1070.006 for file deletion and T1059.001 for command and scripting interpreter usage. System administrators should also consider implementing additional monitoring for unusual directory creation patterns within recycler structures, as this vulnerability represents a classic example of privilege escalation through improper access control mechanisms in operating system components.