CVE-2025-0720 in eScan Antivirus
Summary
by MITRE • 01/27/2025
A vulnerability was found in Microword eScan Antivirus 7.0.32 on Linux. It has been rated as problematic. Affected by this issue is the function removeExtraSlashes of the file /opt/MicroWorld/sbin/rtscanner of the component Folder Watch List Handler. The manipulation leads to stack-based buffer overflow. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 10/10/2025
This vulnerability resides within the Microword eScan Antivirus 7.0.32 Linux implementation where a stack-based buffer overflow occurs in the removeExtraSlashes function located in the rtscanner binary at /opt/MicroWorld/sbin/rtscanner. The Folder Watch List Handler component is specifically affected, making it a targeted attack surface for local privilege escalation and system compromise. The flaw represents a classic stack buffer overflow vulnerability that can be exploited through careful manipulation of input parameters, potentially allowing attackers to overwrite adjacent stack memory locations and execute arbitrary code with the privileges of the affected process.
The technical exploitation requires local system access and leverages the stack-based buffer overflow to overwrite return addresses and function pointers, enabling code execution. This vulnerability type is categorized under CWE-121 Stack-based Buffer Overflow, which is a well-documented weakness in software development practices that occurs when data is written beyond the bounds of a fixed-length stack buffer. The attack vector is local in nature, meaning that an attacker must already have access to the system to exploit this vulnerability, but the potential impact remains severe given that the antivirus software typically runs with elevated privileges.
The operational impact of this vulnerability extends beyond simple code execution as it affects the core antivirus functionality and potentially compromises the entire system security posture. Since the exploit has been disclosed publicly and is believed to be available for use, the window for exploitation is immediate and widespread. The fact that the vendor did not respond to early disclosure attempts suggests either a lack of prioritization or potential resource constraints in addressing this critical security flaw. The stack-based buffer overflow can lead to complete system compromise, data theft, or persistent backdoor installation, making it particularly dangerous in enterprise environments where antivirus solutions are critical infrastructure components.
Mitigation strategies should include immediate patching of the affected eScan Antivirus version, implementation of network segmentation to limit local access, and monitoring for suspicious activities in the rtscanner process. Organizations should also consider temporary disabling of the Folder Watch List Handler functionality until a proper patch is deployed. The vulnerability demonstrates the importance of proper input validation and memory management practices in security-critical software, aligning with ATT&CK technique T1059.007 for Command and Scripting Interpreter and T1068 for Exploitation for Privilege Escalation. Additionally, this vulnerability highlights the need for robust vulnerability disclosure processes and vendor communication protocols to ensure timely remediation of security flaws. The public availability of the exploit makes proactive defense measures essential, including implementing application whitelisting and monitoring for anomalous process behavior in the antivirus service binaries.