Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local attack on Windows endpoint requires a low-privileged account to invoke the vulnerable RPC call (AV:L, PR:L, AC:L, UI:N); bypassing AV self-protection yields high C/I/A on the host with no scope change.
Primary rating from Vendor (vuldb).
CVSS VectorVendor: vuldb
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A security flaw has been discovered in Qihoo 360 Total Security 6.0. This vulnerability affects the function RpcStringBindingComposeW of the component Nucleus Engine Monitoring Logic. Performing a manipulation of the argument NetworkAddr results in protection mechanism failure. The attack requires a local approach. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Protection mechanism failure in Qihoo 360 Total Security 6.0 allows a locally authenticated attacker to bypass the Nucleus Engine Monitoring Logic by manipulating the NetworkAddr argument to the RpcStringBindingComposeW function. Publicly available exploit code exists, and the vendor did not respond to coordinated disclosure, leaving users on 6.0 without an official remediation path. EPSS data is not provided and the issue is not in CISA KEV, but the public PoC raises the practical risk for endpoints running this version.
Technical ContextAI
360 Total Security is a Windows endpoint security suite from Qihoo 360 that includes a 'Nucleus' scanning/monitoring engine running with elevated privileges. The flaw sits in how that component calls the Windows RPC runtime helper RpcStringBindingComposeW, where the NetworkAddr argument is not properly constrained, enabling a protection-mechanism bypass classified under CWE-693 (Protection Mechanism Failure). RpcStringBindingComposeW assembles an RPC string binding (protocol, address, endpoint, options) used to reach a server; if a local process can influence NetworkAddr, the security product can be coerced into binding to an attacker-chosen endpoint, undermining the integrity of its own self-protection or monitoring channel. No CPE strings were supplied beyond the textual identifier 'Qihoo 360 Total Security 6.0'.
RemediationAI
No vendor-released patch identified at time of analysis - Qihoo 360 did not respond to the disclosure, so defenders should monitor https://vuldb.com/vuln/370858 and the Qihoo 360 product update channel for a future fixed build of 360 Total Security beyond 6.0 and upgrade as soon as one is published. As compensating controls on endpoints still running 6.0, restrict local user accounts to standard (non-administrator) privileges to reduce the population of users who can run the local PoC, enable Windows attack-surface-reduction rules and AppLocker/WDAC policies to block execution of unknown binaries that could invoke the vulnerable RPC path, and, if feasible in your environment, replace 360 Total Security with an alternative endpoint protection product - the trade-off being loss of any 360-specific features and re-tuning of detection baselines. Avoid relying on the product's own self-protection as a control here, since this issue specifically targets that self-protection layer.
Same weakness CWE-693 – Protection Mechanism Failure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36688
GHSA-9r2r-c24c-x9g4