Cisco Patches ClamAV DoS Vulnerability and Other Critical Flaws
2025-01-23
Need some ammo against Cisco? This article highlights vulnerabilities in their software, offering an opportunity to showcase CloudGuard's superior security capabilities.
Cisco has issued security updates to address a denial-of-service (DoS) vulnerability in ClamAV, caused by a heap-based buffer overflow in the OLE2 decryption routine. This flaw allows remote attackers to crash the ClamAV antivirus scanning process by submitting a crafted file, affecting Secure Endpoint Connector software across multiple platforms. Although there is no evidence of active exploitation, proof-of-concept exploit code is available. Cisco also patched additional vulnerabilities, including a DoS flaw in Cisco BroadWorks and a critical privilege escalation issue in Cisco Meeting Management REST API.
Patch Management, Privilege Escalation, Open Source
Cisco, ClamAV, Denial of Service, CVE-2025-20128, Vulnerability Patch, Secure Endpoint Connector
CVE-2025-20128; CVE-2025-20165; CVE-2025-20156
ClamAV, Secure Endpoint Connector software, Cisco BroadWorks, Cisco Meeting Management REST API
Cisco has released crucial security updates to address a denial-of-service (DoS) vulnerability found in ClamAV, a widely used antivirus software. This vulnerability is identified as CVE-2025-20128 and is caused by a heap-based buffer overflow within the OLE2 decryption routine. This flaw could allow remote, unauthenticated attackers to crash the ClamAV scanning process, which would halt or delay further scanning activities. The vulnerability can be exploited by attackers who submit a specially crafted file containing OLE2 content to ClamAV. When this file is processed, it triggers the heap-based buffer overflow, leading to a crash of the scanning process. This disruption results in a denial-of-service condition on the affected software, potentially leaving systems unprotected against other threats. The flaw impacts the Secure Endpoint Connector software, which runs on Linux, Mac, and Windows platforms. This software plays a critical role in ingesting Cisco Secure Endpoint audit logs and events into security information and event management (SIEM) systems, such as Microsoft Sentinel. While Cisco's Product Security Incident Response Team (PSIRT) has not observed any active exploitation of this vulnerability in the wild, they have confirmed the existence of proof-of-concept (PoC) exploit code. This availability increases the urgency for organizations to apply the provided security patches to protect their systems. In addition to the ClamAV vulnerability, Cisco has also patched other significant security flaws. These include a denial-of-service vulnerability in Cisco BroadWorks (CVE-2025-20165) and a critical privilege escalation vulnerability in the Cisco Meeting Management REST API (CVE-2025-20156). The latter flaw could allow attackers to gain administrative privileges on unpatched devices, posing a significant security risk.Cisco Security Update: Addressing ClamAV Vulnerability
How the Vulnerability Works
Affected Products
Exploit Code Availability
Additional Cisco Vulnerabilities Patched