Login Sign Up

CVE-2018-16721

7.8 HIGH
Denial of Service

📋 TL;DR

This vulnerability in Jingyun Antivirus allows local users to trigger a denial of service (BSOD) or potentially execute arbitrary code by sending malformed input to a driver's IOCTL handler. It affects users of Jingyun Antivirus version 2.4.2.39 on Windows systems. The issue stems from improper input validation in the ZySandbox.sys driver.

💻 Affected Systems

Products:
  • Jingyun Antivirus
Versions: v2.4.2.39
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Requires the ZySandbox.sys driver to be loaded, which is part of the standard installation.

📦 What is this software?

Jingyun Antivirus by V Secure

View all CVEs affecting Jingyun Antivirus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local privilege escalation leading to full system compromise, arbitrary code execution with kernel privileges, or persistent denial of service.

🟠

Likely Case

Local denial of service (Blue Screen of Death) causing system instability and requiring reboot.

🟢

If Mitigated

Limited to denial of service if exploit attempts are blocked by security controls, with no privilege escalation.

🌐 Internet-Facing: LOW - This is a local vulnerability requiring local access to the system.
🏢 Internal Only: HIGH - Any local user (including low-privileged accounts) can potentially trigger the vulnerability on affected systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Proof-of-concept code is publicly available on GitHub. Exploitation requires local access but no authentication beyond standard user privileges.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check vendor website for updated version. 2. Uninstall vulnerable version. 3. Install latest version if available. 4. Reboot system.

🔧 Temporary Workarounds

Disable or remove vulnerable driver

windows

Prevent loading of the vulnerable ZySandbox.sys driver

sc stop ZySandbox
sc delete ZySandbox

Restrict driver access permissions

windows

Set restrictive ACLs on the driver to prevent unauthorized access

icacls C:\Windows\System32\drivers\ZySandbox.sys /deny *S-1-1-0:(RX)

🧯 If You Can't Patch

  • Uninstall Jingyun Antivirus and replace with alternative security software
  • Implement strict access controls to prevent local users from executing arbitrary code

🔍 How to Verify

Check if Vulnerable:

Check if ZySandbox.sys driver version 2.4.2.39 is present in C:\Windows\System32\drivers\

Check Version:

driverquery /v | findstr ZySandbox

Verify Fix Applied:

Verify ZySandbox.sys driver is either removed or updated to a newer version

📡 Detection & Monitoring

Log Indicators:

  • System crashes (Event ID 41)
  • Driver load failures for ZySandbox.sys
  • Access denied errors for driver operations

Network Indicators:

  • None - this is a local vulnerability

SIEM Query:

EventID=41 AND Source="Microsoft-Windows-Kernel-Power" | where Description contains "BSOD"

📊 Metadata

CVE ID: CVE-2018-16721
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-20
Published: November 23, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-16721, you might also want to check these:

CVE-2022-47190 10.0

CVE-2022-47190 allows remote attackers to upload malicious firmware containing a webshell to Generex...

Same vulnerability type (CWE-20)
CVE-2020-12388 10.0

This vulnerability allows attackers to escape Firefox's content process sandbox on Windows systems, ...

Same vulnerability type (CWE-20)
CVE-2024-3400 10.0

CVE-2024-3400 is a critical command injection vulnerability in Palo Alto Networks PAN-OS GlobalProte...

Same vulnerability type (CWE-20)