Karl.Fail

Tag: cwe-77

  • Critical OS Command Injection in MicroWorld eScan Antivirus (CVE-2025-0798)

    Overview

    A critical vulnerability has been identified in MicroWorld eScan Antivirus version 7.0.32 for Linux. Tracked as CVE-2025-0798, the flaw resides in the Quarantine Handler component, specifically involving the rtscanner file. This vulnerability has been classified as an OS Command Injection issue, allowing remote attackers to execute arbitrary commands on the system.

    Technical Details

    The vulnerability arises due to insufficient sanitization of inputs processed by the rtscanner file. When the system handles quarantined files, it improperly passes user-supplied input to operating system commands. This results in an OS Command Injection, categorized under CWE-78 and CWE-77, both referring to improper command execution from untrusted input.

    While the attack requires no privileges and can be executed remotely, it has a high attack complexity due to the intricate nature of triggering the vulnerable code path. According to public disclosures, exploitation is challenging but possible. A proof-of-concept (PoC) has been made publicly available, increasing the urgency for mitigation.

    Impact Assessment

    The vulnerability has been scored across multiple CVSS versions:

    • CVSS 4.0: 9.2 (CRITICAL) — CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
    • CVSS 3.1 & 3.0: 8.1 (HIGH) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
    • CVSS 2.0: 7.6 — AV:N/AC:H/Au:N/C:C/I:C/A:C

    The vulnerability affects confidentiality, integrity, and availability at a high level. Given its remote exploitability and the potential to fully compromise a system, it poses a significant threat to organizations relying on MicroWorld eScan Antivirus for Linux.

    Disclosure and Vendor Response

    The vulnerability was discovered and reported by FPT IS Security and made public through VulDB on January 29, 2025. Despite early vendor notification, there has been no response or official mitigation guidance from MicroWorld as of the latest update.

    Recommendations

    • Limit exposure: Ensure that eScan services are not directly exposed to the internet or untrusted networks.
    • Monitor systems: Watch for abnormal system behavior or unauthorized processes originating from eScan components.
    • Mitigate via containment: If updates or patches are unavailable, consider isolating affected systems or switching to alternative security tools.
    • Exploit awareness: Review the published PoC at GitHub to understand potential attack vectors and detection signatures.

    Conclusion

    CVE-2025-0798 highlights the criticality of robust input validation and the risks posed by command injection flaws in security software itself. Organizations using MicroWorld eScan Antivirus should prioritize investigation and risk mitigation measures immediately, particularly in Linux environments.

  • CVE-2025-43858: Critical Command Injection in YoutubeDLSharp on Windows

    Overview

    CVE-2025-43858 is a critical vulnerability discovered in YoutubeDLSharp, a .NET wrapper around the popular command-line video downloaders youtube-dl and yt-dlp. This issue affects versions from 1.0.0-beta4 to prior to 1.1.2 and allows for command injection on Windows systems under specific conditions.

    Technical Details

    The vulnerability is categorized under CWE-77 and CWE-78, which refer to improper neutralization of special elements in command inputs. Specifically, YoutubeDLSharp passes arguments to yt-dlp without proper sanitization when executed via the command prompt on Windows.

    This behavior becomes critical due to the use of the UseWindowsEncodingWorkaround flag, which is set to true by default. Users invoking built-in methods from YoutubeDL.cs cannot override this setting, making them especially vulnerable. As a result, a malicious input could trigger unintended command execution, potentially compromising confidentiality, integrity, and availability on the target system.

    CVSS Score and Severity

    The vulnerability has been assigned a CVSS v3.1 base score of 9.2, classifying it as CRITICAL. The vector string is:

    CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L

    This indicates that the attack can be carried out locally with low complexity, no privileges, and no user interaction, while resulting in high impact on confidentiality and integrity.

    Affected Versions

    • Product: YoutubeDLSharp
    • Vendor: Bluegrams
    • Versions Affected: >= 1.0.0-beta4 and < 1.1.2

    Mitigation

    The vulnerability has been addressed in version 1.1.2. All users of affected versions should:

    • Upgrade to v1.1.2 immediately
    • Review usage of built-in command execution methods in their implementations
    • Avoid relying on defaults that obscure execution context or encoding behavior

    References

    Conclusion

    CVE-2025-43858 highlights the risks of executing command-line utilities without stringent input validation. Developers embedding third-party tools like yt-dlp should ensure that all input is carefully sanitized to avoid introducing critical security flaws. Updating to the latest version is essential for maintaining a secure software environment.