CVE-2024-22014 in Total Security Antivirus
Summary
by MITRE • 04/15/2024
An issue discovered in 360 Total Security Antivirus through 11.0.0.1061 for Windows allows attackers to gain escalated privileges via Symbolic Link Follow to Arbitrary File Delete.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/08/2025
The vulnerability identified as CVE-2024-22014 affects 360 Total Security Antivirus version 11.0.0.1061 and earlier on Windows platforms, representing a critical privilege escalation flaw that stems from improper handling of symbolic links during file operations. This issue manifests when the antivirus software processes symbolic links that point to arbitrary files, creating a dangerous condition where an attacker can manipulate the system to delete files that should otherwise be protected. The vulnerability resides in the antivirus software's file deletion mechanism, which fails to properly validate or sanitize symbolic link references before executing destructive operations, thereby allowing unauthorized file removal with elevated privileges.
The technical exploitation of this vulnerability involves creating a malicious symbolic link that points to a protected system file or directory, then triggering the antivirus software to follow this link and delete the target file. This process leverages the software's trust in symbolic link resolution without proper verification of the link's integrity or destination, enabling attackers to bypass normal access controls and delete critical system files or user data. The flaw specifically affects the antivirus's handling of symbolic links during file operations, where the software does not adequately distinguish between legitimate and malicious symbolic link targets. This behavior aligns with CWE-59: Improper Link Resolution Without Limiting Recursion, which addresses the dangers of insufficient symbolic link validation in security software, and also relates to CWE-276: Incorrect Permission Assignment, as the vulnerability allows privilege escalation through improper file access control.
The operational impact of CVE-2024-22014 extends beyond simple file deletion, as it enables attackers to perform privilege escalation attacks that could lead to complete system compromise. An attacker with low-privilege access could exploit this vulnerability to delete critical system files, potentially causing system instability or requiring complete reinstallation of the operating system. The vulnerability affects all Windows users running 360 Total Security Antivirus versions up to 11.0.0.1061, making it particularly dangerous as it targets widely deployed antivirus software. The attack vector is relatively straightforward, requiring only the ability to create symbolic links and trigger the antivirus software to process them, which could be accomplished through various attack methods including social engineering, drive-by downloads, or exploitation of other system vulnerabilities.
Mitigation strategies for this vulnerability should focus on immediate software updates from 360 Technologies, as the vendor has likely released patches to address the symbolic link handling issue. System administrators should ensure that all affected systems are updated to the latest version of 360 Total Security Antivirus, which should include proper validation of symbolic links during file operations. Additionally, implementing proper access controls and monitoring for unauthorized symbolic link creation can help detect potential exploitation attempts. Organizations should also consider temporarily disabling the affected antivirus features or running the software in a restricted environment until patches are applied. From an ATT&CK perspective, this vulnerability maps to T1059.001: Command and Scripting Interpreter, as exploitation may involve command execution to create symbolic links, and T1548.002: Abuse Elevation Control Mechanism, as it enables privilege escalation through software misconfiguration. The vulnerability also relates to T1490: Data Destruction, as it allows for unauthorized file deletion that could result in data loss or system compromise.