ClamAV File Decryption Vulnerability Let Remote Attackers Trigger DoS Attack

Cisco has issued a warning on a significant vulnerability in ClamAV’s Object Linking and Embedding 2 (OLE2) decryption routine. 

This flaw, identified as CVE-2025-20128, could allow unauthenticated, remote attackers to trigger a Denial of Service (DoS) condition on affected devices. The vulnerability is rated as Medium Severity with a CVSS base score of 5.3.

ClamAV OLE2 File Format Decryption

The vulnerability stems from an integer underflow during bounds checking, which leads to a heap-based buffer overflow (classified under CWE-122). 

Attackers can exploit this flaw by submitting a maliciously crafted file containing OLE2 content for scanning. 

This vulnerability impacts Windows, Mac, and Linux-based systems. Upon successful exploitation, the ClamAV scanning process crashes, causing a DoS condition. While this disrupts scanning operations, it does not compromise overall system stability.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

“This vulnerability is due to an integer underflow in a bounds check that allows for a heap buffer overflow read,” reads the advisory.

“A successful exploit could allow the attacker to terminate the ClamAV scanning process, resulting in a DoS condition on the affected software”.

While the vulnerability primarily affects the availability of ClamAV scanning services, it does not compromise data integrity or confidentiality. 

However, delayed or disrupted scanning operations could expose systems to undetected malware threats.

Cisco has acknowledged the existence of proof-of-concept (PoC) exploit code for this vulnerability but has not observed any active malicious exploitation in the wild.

The company has credited Google OSS-Fuzz for identifying this vulnerability and contributing to its resolution.

Affected Products And Fixes Released

The vulnerability impacts multiple platforms that utilize ClamAV, specifically:

• Secure Endpoint Connector for Linux: Fixed in version 1.25.1.
• Secure Endpoint Connector for Mac: Fixed in version 1.24.4.
• Secure Endpoint Connector for Windows: Fixed in versions 7.5.20 and 8.4.3.
• Secure Endpoint Private Cloud: Resolved in version 4.2.0 with updated connectors.

Cisco has confirmed that other products, such as Secure Email Gateway and Secure Web Appliance, are unaffected.

Hence, it is recommended to upgrade to the fixed versions listed above. Automatic updates for Secure Endpoint Connectors are available through the Cisco Secure Endpoint portal, ensuring seamless deployment of patches.

There are no workarounds for this issue. Organizations are advised to prioritize upgrading their software to mitigate risks associated with potential exploitation.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar

The post ClamAV File Decryption Vulnerability Let Remote Attackers Trigger DoS Attack appeared first on Cyber Security News.