Skip to main content

Avast Antivirus CVE-2025-71326

| EUVDEUVD-2025-210288 HIGH
Unquoted Search Path or Element (CWE-428)
2026-06-19 VulnCheck GHSA-qqxm-j467-m9mr
8.5
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.5 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.8 HIGH

Local attacker with low privileges abuses an unquoted service path to gain SYSTEM, yielding full C/I/A impact with no user interaction and low complexity.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 19, 2026 - 15:30 vuln.today

DescriptionCVE.org

AVAST Antivirus 25.11 contains an unquoted service path vulnerability in the SecureLine service that allows local non-privileged users to execute code with elevated SYSTEM privileges. Attackers can exploit the unquoted binary path in the service configuration to inject malicious executables that execute with high-level system permissions.

AnalysisAI

Local privilege escalation in Avast Antivirus 25.11 allows non-privileged Windows users to execute arbitrary code as SYSTEM by abusing an unquoted service path in the SecureLine service. Publicly available exploit code exists (Exploit-DB 52510), and the issue was reported by VulnCheck; no public exploit identified at time of analysis indicates wider active exploitation, but the low-complexity local vector makes this attractive for post-compromise escalation.

Technical ContextAI

The vulnerability is a CWE-428 Unquoted Search Path issue in the Windows service that hosts Avast SecureLine (per CPE cpe:2.3:a:avast:avast_antivirus:*). When a Windows service is registered with an ImagePath that contains spaces but is not enclosed in quotes (for example C\:\Program Files\Avast Software\...\service.exe), the Service Control Manager attempts to resolve each space-delimited token as a potential executable, walking from the root of the drive outward. An attacker who can write a binary at one of those intermediate filename candidates (e.g. C:\Program.exe) causes that binary to be launched instead of the legitimate service executable. Because the SecureLine service runs as LocalSystem, the injected process inherits SYSTEM privileges on next service start or reboot.

RemediationAI

No vendor-released patch identified at time of analysis; monitor https://www.avast.com/ and the VulnCheck advisory at https://www.vulncheck.com/advisories/avast-antivirus-unquoted-service-path-privilege-escalation for a fixed build of Avast Antivirus after 25.11 and upgrade once available. As compensating controls, administrators can manually correct the SecureLine service ImagePath in the registry under HKLM\SYSTEM\CurrentControlSet\Services by enclosing the full executable path in double quotes (side effect: the change may be reverted by product auto-update or repair), and audit and tighten NTFS permissions on C:\, C:\Program Files, and C:\Program Files (x86) so that non-administrators cannot create files like Program.exe at intermediate path tokens (side effect: may break poorly-written installers that expect write access to those locations). Where feasible, restrict ability of standard users to start or restart the SecureLine service via SDDL on the service to reduce trigger opportunities, accepting that scheduled restarts or reboots can still fire the exploit.

CVE-2012-1459 MEDIUM
4.3 Mar 21

The TAR file parser in AhnLab V3 Internet Security 2011.01.18.00, Avira AntiVir 7.11.1.163, Antiy Labs AVL SDK 2.0.3.7,

CVE-2012-1457 MEDIUM
4.3 Mar 21

The TAR file parser in Avira AntiVir 7.11.1.163, Antiy Labs AVL SDK 2.0.3.7, avast!. Rated medium severity (CVSS 4.3), t

CVE-2012-1443 MEDIUM
4.3 Mar 21

The RAR file parser in ClamAV 0.96.4, Rising Antivirus 22.83.00.03, Quick Heal (aka Cat QuickHeal) 11.00, G Data AntiVir

CVE-2025-7011 HIGH
7.8 Jun 12

Local code execution and denial-of-service in Gen Digital antivirus engines (Avast, AVG, Norton, Avast One, Avast Busine

CVE-2025-7009 HIGH
7.8 Jun 12

Local code execution or antivirus-process denial-of-service in Gen Digital's shared scanning engine (Avast Antivirus, AV

CVE-2025-7008 HIGH
7.8 Jun 12

Out-of-bounds heap read in the Gen Digital antivirus scanning engine (Avast, AVG, Norton, Avast One, Avast Business) all

CVE-2025-7004 HIGH
7.8 Jun 12

Heap out-of-bounds write in Gen Digital's shared antivirus scanning engine allows local code execution or denial of serv

CVE-2015-5662 MEDIUM
6.4 Oct 18

Directory traversal vulnerability in Avast before 150918-0 allows remote attackers to delete or write to arbitrary files

CVE-2025-7019 MEDIUM
5.5 Jun 12

Stack overflow in Gen Digital's shared antivirus scanning engine crashes the AV process when it parses a malformed Offic

CVE-2025-7010 MEDIUM
5.5 Jun 12

Stack overflow via uncontrolled recursion crashes the antivirus scanning process across all Gen Digital consumer and bus

CVE-2025-7006 MEDIUM
5.5 Jun 12

Stack use-after-free in the Gen Digital shared antivirus scanning engine crashes the antivirus process when it parses a

CVE-2025-7005 MEDIUM
5.5 Jun 12

Uncontrolled recursion in the Gen Digital shared scanning engine crashes the antivirus process when it encounters a spec

Share

CVE-2025-71326 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy