Cisco has launched safety updates to patch a ClamAV denial-of-service (DoS) vulnerability, which has proof-of-concept (PoC) exploit code.
Tracked as CVE-2025-20128, the vulnerability is attributable to a heap-based buffer overflow weak spot within the Object Linking and Embedding 2 (OLE2) decryption routine, permitting unauthenticated, distant attackers to set off a DoS situation on weak units.
If this vulnerability is efficiently exploited, it may trigger the ClamAV antivirus scanning course of to crash, stopping or delaying additional scanning operations.
“An attacker could exploit this vulnerability by submitting a crafted file containing OLE2 content to be scanned by ClamAV on an affected device,” Cisco defined. “A successful exploit could allow the attacker to terminate the ClamAV scanning process, resulting in a DoS condition on the affected software.”
Nevertheless, in an advisory issued at the moment, the corporate famous that general system stability wouldn’t be affected even after profitable assaults.
The weak merchandise listing contains the Safe Endpoint Connector software program for Linux, Mac, and Home windows-based platforms. This resolution helps ingest Cisco Safe Endpoint audit logs and occasions into safety info and occasion administration (SIEM) programs like Microsoft Sentinel.
PoC exploit obtainable, no lively exploitation
Whereas the Cisco Product Safety Incident Response Group (PSIRT) stated it has no proof of in-the-wild exploitation, it added that CVE-2025-20128 exploit code is already obtainable.
“The Cisco PSIRT is aware that proof-of-concept exploit code is available for the vulnerabilities that are described in this advisory,” Cisco PSIRT said.
Right this moment, the corporate additionally patched a Cisco BroadWorks DoS safety flaw (CVE-2025-20165) and a crucial severity privilege escalation vulnerability (CVE-2025-20156) within the Cisco Assembly Administration REST API that lets hackers achieve admin privileges on unpatched units.
In October, it fastened one other DoS safety bug (CVE-2024-20481) in its Cisco ASA and Firepower Risk Protection (FTD) software program, found throughout large-scale brute-force assaults towards Cisco Safe Firewall VPN units in April 2024.
One month later, it addressed a most severity vulnerability (CVE-2024-20418) that enables attackers to run instructions with root privileges on weak Extremely-Dependable Wi-fi Backhaul (URWB) industrial entry factors.
