Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local attacker with low privileges abuses an unquoted service path to gain SYSTEM, yielding full C/I/A impact with no user interaction and low complexity.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
AVAST Antivirus 25.11 contains an unquoted service path vulnerability in the SecureLine service that allows local non-privileged users to execute code with elevated SYSTEM privileges. Attackers can exploit the unquoted binary path in the service configuration to inject malicious executables that execute with high-level system permissions.
AnalysisAI
Local privilege escalation in Avast Antivirus 25.11 allows non-privileged Windows users to execute arbitrary code as SYSTEM by abusing an unquoted service path in the SecureLine service. Publicly available exploit code exists (Exploit-DB 52510), and the issue was reported by VulnCheck; no public exploit identified at time of analysis indicates wider active exploitation, but the low-complexity local vector makes this attractive for post-compromise escalation.
Technical ContextAI
The vulnerability is a CWE-428 Unquoted Search Path issue in the Windows service that hosts Avast SecureLine (per CPE cpe:2.3:a:avast:avast_antivirus:*). When a Windows service is registered with an ImagePath that contains spaces but is not enclosed in quotes (for example C\:\Program Files\Avast Software\...\service.exe), the Service Control Manager attempts to resolve each space-delimited token as a potential executable, walking from the root of the drive outward. An attacker who can write a binary at one of those intermediate filename candidates (e.g. C:\Program.exe) causes that binary to be launched instead of the legitimate service executable. Because the SecureLine service runs as LocalSystem, the injected process inherits SYSTEM privileges on next service start or reboot.
RemediationAI
No vendor-released patch identified at time of analysis; monitor https://www.avast.com/ and the VulnCheck advisory at https://www.vulncheck.com/advisories/avast-antivirus-unquoted-service-path-privilege-escalation for a fixed build of Avast Antivirus after 25.11 and upgrade once available. As compensating controls, administrators can manually correct the SecureLine service ImagePath in the registry under HKLM\SYSTEM\CurrentControlSet\Services by enclosing the full executable path in double quotes (side effect: the change may be reverted by product auto-update or repair), and audit and tighten NTFS permissions on C:\, C:\Program Files, and C:\Program Files (x86) so that non-administrators cannot create files like Program.exe at intermediate path tokens (side effect: may break poorly-written installers that expect write access to those locations). Where feasible, restrict ability of standard users to start or restart the SecureLine service via SDDL on the service to reduce trigger opportunities, accepting that scheduled restarts or reboots can still fire the exploit.
More in Avast Antivirus
View allThe TAR file parser in AhnLab V3 Internet Security 2011.01.18.00, Avira AntiVir 7.11.1.163, Antiy Labs AVL SDK 2.0.3.7,
The TAR file parser in Avira AntiVir 7.11.1.163, Antiy Labs AVL SDK 2.0.3.7, avast!. Rated medium severity (CVSS 4.3), t
The RAR file parser in ClamAV 0.96.4, Rising Antivirus 22.83.00.03, Quick Heal (aka Cat QuickHeal) 11.00, G Data AntiVir
Local code execution and denial-of-service in Gen Digital antivirus engines (Avast, AVG, Norton, Avast One, Avast Busine
Local code execution or antivirus-process denial-of-service in Gen Digital's shared scanning engine (Avast Antivirus, AV
Out-of-bounds heap read in the Gen Digital antivirus scanning engine (Avast, AVG, Norton, Avast One, Avast Business) all
Heap out-of-bounds write in Gen Digital's shared antivirus scanning engine allows local code execution or denial of serv
Directory traversal vulnerability in Avast before 150918-0 allows remote attackers to delete or write to arbitrary files
Stack overflow in Gen Digital's shared antivirus scanning engine crashes the AV process when it parses a malformed Offic
Stack overflow via uncontrolled recursion crashes the antivirus scanning process across all Gen Digital consumer and bus
Stack use-after-free in the Gen Digital shared antivirus scanning engine crashes the antivirus process when it parses a
Uncontrolled recursion in the Gen Digital shared scanning engine crashes the antivirus process when it encounters a spec
Same weakness CWE-428 – Unquoted Search Path or Element
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210288
GHSA-qqxm-j467-m9mr