Login Sign Up

CVE-2023-26088

7.8 HIGH

📋 TL;DR

This vulnerability in Malwarebytes allows attackers to delete arbitrary files via symbolic link exploitation in the local quarantine system. It affects all Windows users running Malwarebytes versions before 4.5.23. In certain scenarios, this can lead to privilege escalation.

💻 Affected Systems

Products:
  • Malwarebytes for Windows
Versions: All versions before 4.5.23
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all default installations of Malwarebytes for Windows prior to the patched version.

📦 What is this software?

Malwarebytes by Malwarebytes

View all CVEs affecting Malwarebytes →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through privilege escalation leading to administrative control, data destruction, or ransomware deployment.

🟠

Likely Case

Local file deletion causing system instability, data loss, or disruption of security software functionality.

🟢

If Mitigated

Limited to non-critical file deletion if proper user permissions and monitoring are in place.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local access.
🏢 Internal Only: HIGH - Malicious insiders or compromised accounts can exploit this to escalate privileges and cause significant damage.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Requires local access to the system but exploitation is straightforward once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.5.23 or later

Vendor Advisory: https://support.malwarebytes.com/hc/en-us/articles/14279575968659-Malwarebytes-for-Windows-4-5-23-Release-Notes

Restart Required: Yes

Instructions:

1. Open Malwarebytes application. 2. Click Settings (gear icon). 3. Go to About tab. 4. Click Check for Updates. 5. Install version 4.5.23 or newer. 6. Restart computer if prompted.

🔧 Temporary Workarounds

Disable Malwarebytes Quarantine

windows

Temporarily disable the quarantine feature to prevent exploitation

Not applicable - disable via Malwarebytes GUI settings

🧯 If You Can't Patch

  • Implement strict access controls and monitor for unauthorized local access
  • Deploy application whitelisting to prevent execution of unauthorized programs

🔍 How to Verify

Check if Vulnerable:

Check Malwarebytes version in Settings > About tab. If version is below 4.5.23, system is vulnerable.

Check Version:

wmic product where "name like 'Malwarebytes%'" get version

Verify Fix Applied:

Confirm Malwarebytes version is 4.5.23 or higher in Settings > About tab.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file deletion events in Windows Event Logs
  • Malwarebytes quarantine operations on unexpected files

Network Indicators:

  • No network indicators - local exploitation only

SIEM Query:

EventID=4663 AND ProcessName LIKE '%Malwarebytes%' AND AccessMask='0x10000' (Delete access)

📊 Metadata

CVE ID: CVE-2023-26088
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-59
Published: March 23, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-26088, you might also want to check these:

CVE-2024-37143 10.0

This CVE describes an Improper Link Resolution Before File Access vulnerability in multiple Dell Pow...

Same vulnerability type (CWE-59)
CVE-2024-28185 10.0

CVE-2024-28185 is a critical symlink vulnerability in Judge0 that allows attackers to write arbitrar...

Same vulnerability type (CWE-59)
CVE-2024-48862 9.8

CVE-2024-48862 is a path traversal vulnerability in QNAP's QuLog Center that allows remote attackers...

Same vulnerability type (CWE-59)