https://github.com/v-p-b/avpwn

List of real-world threats against endpoint protection software
https://github.com/v-p-b/avpwn

antivirus endpoint-protection exploits incidents security vulnerability

Last synced: 5 months ago
JSON representation

List of real-world threats against endpoint protection software

• Host: GitHub
• URL: https://github.com/v-p-b/avpwn
• Owner: v-p-b
• Created: 2016-11-20T16:46:58.000Z (over 9 years ago)
• Default Branch: master
• Last Pushed: 2024-11-23T16:29:47.000Z (over 1 year ago)
• Last Synced: 2025-06-21T09:47:17.177Z (about 1 year ago)
• Topics: antivirus, endpoint-protection, exploits, incidents, security, vulnerability
• Homepage:
• Size: 54.7 KB
• Stars: 216
• Watchers: 24
• Forks: 38
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

• awesome-security-collection - **88**星 - world threats against endpoint protection software (<a id="8c5a692b5d26527ef346687e047c5c21"></a>收集)

README

          
AVPWN

=====

List of real-world threats against endpoint protection software - For future reference. The list is based on public information and thus is obviously incomplete. 

The list should include:

  * Non-public 0-day exploits at the time of reference

  * Public incidents where attackers exploited endpoint protection software 

  * Supporting public evidence should be provided for all records

The list doesn't include: 

  * Exploits intentionally disclosed to the vendor in any way (including full uncoordinated disclosure)

  * Detection bypasses, because I don't want to fill up the storage space of GitHub

  * Attacks or exploits against perimeter products, because I'm lazy

The List

--------

| Name                                                                        | Link                                                   | Internal ID | Server Side | Client Side | Known Incident |

|-----------------------------------------------------------------------------|--------------------------------------------------------|-------------|-------------|-------------|----------------|

| avast! Local Information Disclosure                                         | https://wikileaks.org/hackingteam/emails/emailid/45441 | 13-005      |           0 |           1 |       Brokered |

| avast! Local Privilege Escalation                                           | https://wikileaks.org/hackingteam/emails/emailid/45441 | 13-010      |           0 |           1 |       Brokered |

| McAfee ePolicy Orchestrator Privileged Remote Code Execution                | https://wikileaks.org/hackingteam/emails/emailid/45441 | 13-019      |           1 |           0 |       Brokered |

| McAfee ePolicy Orchestrator Post-Auth Privileged Remote Code Execution      | https://wikileaks.org/hackingteam/emails/emailid/45441 | 13-023      |           1 |           0 |       Brokered |

| McAfee ePolicy Orchestrator Post-Auth Privileged Remote Code Execution      | https://wikileaks.org/hackingteam/emails/emailid/45441 | 13-024      |           1 |           0 |       Brokered |

| ESET NOD32 Antivirus and ESET Smart Security Remote Pre-auth Code Execution | https://wikileaks.org/hackingteam/emails/emailid/45441 | 2010-0021   |           0 |           1 | Brokered, Sold |

| Symantec AntiVirus Remote Stack Buffer Overflow  | http://www.securityfocus.com/news/11426 | CVE-2006-2630   |           0 |           1 | Exploited ItW |

| McAfee Stinger Portable DLL Sideloading  | https://wikileaks.org/ciav7p1/cms/page_27492400.html | Fine Dining  |           0 |           1 | CIA collection |

| Sophos Virus Removal Tool DLL sideloading | https://wikileaks.org/ciav7p1/cms/page_27263043.html | Fine Dining  |           0 |           1 | CIA collection |

| Kaspersky TDSS Killer Portable DLL Sideloading | https://wikileaks.org/ciav7p1/cms/page_27492393.html | Fine Dining  |           0 |           1 | CIA collection |

| ClamWin Portable DLL Hijack | https://wikileaks.org/ciav7p1/cms/page_27262995.html | Fine Dining  |           0 |           1 | CIA collection |

| Kaspersky ?? SUID command injection | https://hackmd.io/s/r1gLMUUpx | evolvingstrategy  |           0 |           1 | EQGRP exploit leaked by Shadow Brokers  |

| Symantec rastlsc.exe DLL side-loading | https://www.welivesecurity.com/wp-content/uploads/2018/03/ESET_OceanLotus.pdf| OceanLotus | 0 | 1 | ESET report |

| Trend Micro Office Scan server ZIP path traversal | https://www.zdnet.com/article/trend-micro-antivirus-zero-day-used-in-mitsubishi-electric-hack/ | CVE-2019-18187 | 1 | 0 | Mitsubishi Electric |

| Trend Micro Apex One and OfficeScan migration tool RCE | https://www.darkreading.com/vulnerabilities---threats/trend-micro-patches-two-zero-days-under-attack/d/d-id/1337338 https://success.trendmicro.com/solution/000245571 https://www.tenable.com/blog/cve-2020-8467-cve-2020-8468-vulnerabilities-in-trend-micro-apex-one-and-officescan-exploited-in | CVE-2020-8467 | 1 | 0 | N/A |

| Trend Micro Apex One and OfficeScan content validation escape | https://www.darkreading.com/vulnerabilities---threats/trend-micro-patches-two-zero-days-under-attack/d/d-id/1337338 https://success.trendmicro.com/solution/000245571 https://www.tenable.com/blog/cve-2020-8467-cve-2020-8468-vulnerabilities-in-trend-micro-apex-one-and-officescan-exploited-in | CVE-2020-8468 | 0 | 1 | N/A |

| Windows Defender [buffer overflow](https://snort.org/advisories/talos-rules-2021-01-12) | https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647 | CVE-2021-1647 | 0 | 1 | Exploitation was detected before fix was released. [Snort rules](https://snort.org/advisories/talos-rules-2021-01-12) detect shellcode. [May be related](https://threatpost.com/critical-microsoft-defender-bug-exploited/162992/) to the SolarWinds breach (although this remark was deleted from ZDI's original [post](https://webcache.googleusercontent.com/search?q=cache:jJPdtnWB-4sJ:https://www.thezdi.com/blog/2021/1/12/the-january-2021-security-update-review+&cd=1&hl=hu&ct=clnk&gl=hu))|

| Trend Micro Apex One Improper Access Control Privilege Escalation | https://www.zerodayinitiative.com/advisories/ZDI-20-1094/ | CVE-2020-24557 | 0 | 1 |  https://therecord.media/nightmare-week-for-security-vendors-now-a-trend-micro-bug-is-being-exploited-in-the-wild/ (unclear if exploitation happened before or after vendor was notified about the bug) |

| Trend Micro Apex One Local Privilege Escalation and Arbitrary File Upload | https://success.trendmicro.com/solution/000287819 | CVE-2021-36742 CVE-2021-36741 | 1 | 1 | https://therecord.media/hackers-tried-to-exploit-two-zero-days-in-trend-micros-apex-one-edr-platform/ | 

| Trend Micro Apex Central Arbitrary File Upload RCE| https://success.trendmicro.com/dcx/s/solution/000290678?language=en_US | CVE-2022-26871 | 1 | 0 | https://twitter.com/GossiTheDog/status/1510901921657331716 | 

| eScan insecure update MitM leads to RCE | https://decoded.avast.io/janrubin/guptiminer-hijacking-antivirus-updates-for-distributing-backdoors-and-casual-mining/ | N/A | 0 | 1 | https://decoded.avast.io/janrubin/guptiminer-hijacking-antivirus-updates-for-distributing-backdoors-and-casual-mining/ |

| Trend Micro Apex One Management Console Command Injection RCE Vulnerability  | [KA-0020652](https://success.trendmicro.com/en-US/solution/KA-0020652)  | CVE-2025-54948 | 1 | 0 | https://success.trendmicro.com/en-US/solution/KA-0020652 |

| Triofox Improper Access Control allows RCE by abusing anti-virus feature | https://cloud.google.com/blog/topics/threat-intelligence/triofox-vulnerability-cve-2025-12480 | CVE-2025-12480 | 0 | 1 | https://cloud.google.com/blog/topics/threat-intelligence/triofox-vulnerability-cve-2025-12480 |

### Immortal exploits

The following list contains exploits of ["immortal" vulnerabilities](https://www.rand.org/pubs/research_reports/RR1751.html) - ones that for some reason can't be fixed by the vendor.

| Name                                                                        | Link                                                   | Internal ID | Server Side | Client Side | Known Incident |

|-----------------------------------------------------------------------------|--------------------------------------------------------|-------------|-------------|-------------|----------------|

| Avast aswSnx.sys Kernel Driver 11.1.2253 - Memory Corruption Privilege Escalation | https://artemonsecurity.blogspot.com/2016/10/remsec-driver-analysis-agnitum-driver.html https://twitter.com/cherepanov74/status/762654147841781760 | N/A | 0 | 1 | Remsec / Cremes malware |

| Agnitum Sandbox.sys Kernel Driver Arbitrary DLL Loading | https://artemonsecurity.blogspot.com/2016/10/remsec-driver-analysis-agnitum-driver.html https://twitter.com/cherepanov74/status/762654147841781760 | N/A | 0 | 1 | Remsec / Cremes malware |

| AvosLocker Ransomware Variant Abuses Avast Driver File (asWarPot.sys) to Disable Anti-Virus [1] | https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/ | BURNTCIGAR | 0 | 1 | AvosLocker, Cuba |

| Zemana AntiMalware/AntiLogger Driver to Disable Anti-Virus [1] | https://voidsec.com/reverse-engineering-terminator-aka-zemana-antimalware-antilogger-driver/ | Terminator | 0 | 1 | SpyBot |

| Panda Memory Access Driver multiple vulnerabilities | https://news.sophos.com/en-us/2024/01/25/multiple-vulnerabilities-discovered-in-widely-used-security-driver/| CVE-2023-6330, CVE-2023-6331, CVE-2023-6332 | 0 | 1 | Red Team used 0-day | 

| Avast Anti-Rootkit driver abuse for process termination [1] | https://www.trellix.com/blogs/research/when-guardians-become-predators-how-malware-corrupts-the-protectors/ | N/A | 0 | 1 | Unspecified malware |

[1] Abuse of legitimate functionality, admin->kernel is not a security boundary

### Honorable mentions

* As of November 2016. Zerodium (a prominent vulnerability broker) [is offering](https://web.archive.org/web/20161108134847/http://zerodium.com/program.html) up to $40.000 for Antivirus LPE/RCE

  * In 2017. the price for AV LPE exploits [dropped](https://web.archive.org/web/20170823152044/https://zerodium.com/program.html) to $10.000 (presumably because of the easy accessibility to such exploits). 

* In 2014. Kaspersky [reported](https://web.archive.org/web/*/https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf) that the Careto malware was attempting to exploit a vulnerability in their products _"to make the malware 'invisible' in the system"_. The targeted vulnerability was fixed in 2008.

* In 2015. Kaspersky [reported](https://blog.kaspersky.co.uk/kaspersky-statement-duqu-attack/5858/) a compromise of their own systems. According to the report _"neither [Kaspersky's] products nor services have been compromised"_, and attackers were after information about _"ongoing investigations [...] detection methods and analysis capabilities"_. In 2017 [NYT reported](https://www.nytimes.com/2017/10/10/technology/kaspersky-lab-israel-russia-hacking.html) that Kaspersky was compromised by the Israeli intelligence that found that Russian services were using the companies infrastructure/products to "scour the world for U.S. secrets".

* In 2013. Bit9, a security firm mostly known for it's white-list based endpoint protection product, [was hacked](https://krebsonsecurity.com/2013/02/security-firm-bit9-hacked-used-to-spread-malware/) and code-signing certificates with private keys were stolen. With these, attackers were able to sign malware with Bit9's code-signing certificate. The signed malware was used to bypass Bit9 protection on the client.   

* In May 2019. Advanced Inteligence LLC [claimed](https://www.advanced-intel.com/blog/top-tier-russian-hacking-collective-claims-breaches-of-three-major-anti-virus-companies) that Fxmsp - a threat actor they've been monitoring for some time - compromised four antivirus companies including [Symantec, Trend Micro, and McAfee](https://www.reddit.com/r/netsec/comments/bok8kx/fxmsp_claims_breaches_of_three_major_antivirus/). Fxmsp was said to sell access to the source code and internal networks on the darknet. Advanced Intelligence LLC [was registered](https://twitter.com/swagitda_/status/1126548346624270337) right before the announcement in Delaware.

  * In May 2019, Based on Symantec's [statement](https://www.cbronline.com/news/trend-micro-symantec-fxmsp), Advanced Intelligence retracted from their claim that Symantec was affected. Trend Micro acknowledged the breach of "a single testing lab network".

  * In June 2019,  Advanced Intelligence [claimed](https://www.bleepingcomputer.com/news/security/another-hacker-selling-access-to-charity-antivirus-firm-networks/) further breaches, including Comodo.

* [Moshen Dragon (2022)](https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/) abuses multiple AV executables for DLL sideloading to hide itself. While this is not considered a vulnerability in the affected AV software, Trend Micro [deployed](https://www.bleepingcomputer.com/news/security/trend-micro-fixes-bug-chinese-hackers-exploited-for-espionage/) some countermeasures. 

* [eScan Supply Chain Compromise (2026)](https://www.morphisec.com/blog/critical-escan-threat-bulletin/) - "On January 20, 2026, Morphisec identified an active supply chain compromise affecting MicroWorld Technologies’ eScan antivirus product. Malicious updates were distributed through eScan’s legitimate update infrastructure, resulting in the deployment of multi-stage malware to enterprise and consumer endpoints globally.". More info on [Bleeping Computer](https://www.bleepingcomputer.com/news/security/escan-confirms-update-server-breached-to-push-malicious-update/) and [Securelist](https://securelist.com/escan-supply-chain-attack/118688/).