Denial of Service Vulnerability in ClamAV OLE2 Processing
CVE-2025-20128

5.3MEDIUM

Key Information:

Vendor
Cisco
Status
Cisco Secure Endpoint
Vendor
CVE Published:
22 January 2025

Badges

👾 Exploit Exists📰 News Worthy

What is CVE-2025-20128?

CVE-2025-20128 is a denial of service (DoS) vulnerability found in the ClamAV antivirus software, which is widely used for scanning and detecting malware in various file formats. ClamAV aims to protect systems from malicious files; however, this specific vulnerability exposes it to potential disruption. An unauthenticated remote attacker could exploit this flaw through specially crafted files containing Object Linking and Embedding 2 (OLE2) content. If successfully executed, the attack could cause the ClamAV scanning process to terminate, hindering the software's ability to function and protect networks effectively.

Technical Details

This vulnerability arises from an integer underflow in the bounds checking mechanism of ClamAV's OLE2 decryption routine. This flaw can lead to a heap buffer overflow read, enabling an attacker to craft files that, when scanned by ClamAV on compromised devices, will crash the scanning process. To exploit this vulnerability, attackers would only need to submit a malicious file, making it relatively easy to launch an attack against vulnerable systems.

Potential Impact of CVE-2025-20128

  1. Service Disruption: The immediate impact of this vulnerability is the potential termination of the ClamAV scanning process, resulting in a denial of service. This could allow malware to infiltrate a network undetected, compromising system security.

  2. Increased Vulnerability to Attacks: Organizations relying on ClamAV for malware detection may find themselves exposed if this service is interrupted. The inability to scan files effectively raises the risk of successful cyberattacks, including data breaches or system integrity violations.

  3. Operational Downtime: A successful exploitation can lead to significant operational disruptions, requiring organizations to implement emergency protocols to maintain security. This can result in financial losses and damage to reputation due to compromised system integrity and loss of service continuity.

Affected Version(s)

Cisco Secure Endpoint 7.0.5

Cisco Secure Endpoint 6.2.19

Cisco Secure Endpoint 7.3.3

News Articles

favicon imageHelp Net Security

Cisco fixes ClamAV vulnerability with available PoC and critical Meeting Management flaw - Help Net Security

Cisco fixed critical Meeting Management flaw (CVE-2025-20156) and a vuln (CVE-2025-20128) that can DDoS ClamAV on endpoints.

favicon imageCybersecurityNews

ClamAV File Decryption Vulnerability Let Remote Attackers Trigger DoS Attack

This flaw, identified as CVE-2025-20128, could allow unauthenticated remote attackers to trigger a Denial of Service (DoS) condition on affected devices. The vulnerability is rated as Medium Severity with a CVSS base score of 5.3.

References

https://sec.cloudapps.cisco.com/security/center/content/C...
https://blog.clamav.net/2025/01/clamav-142-and-108-securi...

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 📰

    First article discovered by CybersecurityNews

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.