Cisco Issues Warning Over ClamAV Bug with PoC Exploit

January 26, 2025

Cisco has rolled out security patches to fix a denial-of-service (DoS) vulnerability in ClamAV, identified as CVE-2025-20128. The company's Product Security Incident Response Team (PSIRT) has also alerted users about the existence of a proof-of-concept (PoC) exploit for this security flaw. The vulnerability is located in ClamAV's Object Linking and Embedding 2 (OLE2) decryption routine.

An attacker, without the need for authentication, could remotely exploit this flaw to trigger a DoS condition on a device that is not secured. ClamAV, which is an open-source antivirus engine developed by Cisco, is primarily used for detecting malicious threats such as viruses and malware. It is commonly used in email scanning, file scanning, and web security, especially in systems based on Linux.

The vulnerability is caused by an integer underflow in a bounds check, which results in a heap buffer overflow read. “An attacker could exploit this vulnerability by submitting a crafted file containing OLE2 content to be scanned by ClamAV on an affected device.” reads the advisory. “A successful exploit could allow the attacker to terminate the ClamAV scanning process, resulting in a DoS condition on the affected software.”

This medium-impact vulnerability has the potential to affect Linux, Mac, and Windows systems. It could cause scanning operations to crash, delay, or stop completely. At this time, the Cisco PSIRT is not aware of any real-world attacks exploiting this vulnerability. The flaw was reported by Google OSS-Fuzz.

In February 2023, Cisco addressed a critical flaw in the ClamAV product, tracked as CVE-2023-20032 (CVSS score: 9.8). This vulnerability was located in the HFS+ file parser component and could allow an attacker to gain remote code execution on vulnerable devices or trigger a DoS condition. This issue, also known as CVE-2023-20032 (CVSS score: 9.8), pertains to a case of remote code execution in the HFS+ file parser. It impacts versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Simon Scannell from Google was acknowledged for reporting this issue.

The vulnerability is essentially a buffer overflow issue that affects the ClamAV scanning library and is caused by a missing buffer size check.

Related News

• Cisco Patches High-Severity Vulnerabilities in ACI Software
• Cisco Patches Critical Vulnerability in ClamAV

Latest News

• Urgent Call to Secure Systems Against Ongoing Attacks Exploiting Microsoft Outlook RCE Vulnerability
• Critical Authentication Bypass Vulnerability in SonicOS: Proof-of-Concept Revealed
• CISA Adds Apple's Flaw to Known Exploited Vulnerabilities Catalog
• Apple Patches First Actively Exploited Zero-Day Vulnerability of the Year
• CISA Alerts on Ivanti Vulnerabilities Exploited in Cyber Attacks