CVE-2023-28892 – This vulnerability in Malwarebytes AdwCleaner 8... (How to Fix)

Q: What is the severity of CVE-2023-28892?

CVE-2023-28892 has a CVSS score of 7.8 (HIGH). This vulnerability in Malwarebytes AdwCleaner 8.4.0 allows non-admin users to escalate privileges to SYSTEM by exploiting an insecure file deletion operation. Attackers can create symbolic links to trick the software into deleting system files, gaining full system control. Only users running the vulnerable version of AdwCleaner on Windows systems are affected.

📋 TL;DR

This vulnerability in Malwarebytes AdwCleaner 8.4.0 allows non-admin users to escalate privileges to SYSTEM by exploiting an insecure file deletion operation. Attackers can create symbolic links to trick the software into deleting system files, gaining full system control. Only users running the vulnerable version of AdwCleaner on Windows systems are affected.

💻 Affected Systems

Products:

Malwarebytes AdwCleaner

Versions: 8.4.0

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems where AdwCleaner is installed and runs with Administrator privileges. The vulnerability is in the debug logging cleanup function.

📦 What is this software?

Adwcleaner by Malwarebytes

View all CVEs affecting Adwcleaner →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges, allowing attackers to install persistent malware, steal credentials, disable security controls, and maintain persistent access.

🟠

Likely Case

Local privilege escalation where a standard user gains SYSTEM privileges, enabling them to bypass security restrictions and potentially install additional malware.

🟢

If Mitigated

No impact if the software is patched or if proper access controls prevent non-admin users from running or interacting with AdwCleaner.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local access to the system.

🏢 Internal Only: MEDIUM - Requires an attacker to have local access, but in shared or multi-user environments, this could be exploited by malicious insiders or compromised standard accounts.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access and standard user privileges. The symbolic link attack is well-documented and relatively easy to implement.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.4.1

Vendor Advisory: https://www.malwarebytes.com/secure/cves/cve-2023-28892

Restart Required: No

Instructions:

1. Open Malwarebytes AdwCleaner. 2. Check for updates in the settings or about section. 3. Update to version 8.4.1 or later. 4. Verify the update completed successfully.

🔧 Temporary Workarounds

Remove vulnerable version

windows

Uninstall AdwCleaner 8.4.0 completely until you can install the patched version.

Control Panel > Programs > Uninstall a program > Select AdwCleaner > Uninstall

Restrict file permissions

windows

Set strict permissions on C:\AdwCleaner\Logs\ directory to prevent non-admin users from creating symbolic links.

icacls "C:\AdwCleaner\Logs\" /inheritance:r /grant:r "Administrators:(OI)(CI)F" /grant:r "SYSTEM:(OI)(CI)F"

🧯 If You Can't Patch

Uninstall AdwCleaner 8.4.0 completely
Implement strict access controls to prevent non-admin users from running or interacting with AdwCleaner

🔍 How to Verify

Check if Vulnerable:

Check AdwCleaner version in the application's about section or via Programs and Features in Control Panel. Version 8.4.0 is vulnerable.

Check Version:

wmic product where name="AdwCleaner" get version

Verify Fix Applied:

Verify AdwCleaner version is 8.4.1 or later. Check that the application no longer performs insecure file deletions in the debug log directory.

📡 Detection & Monitoring

Log Indicators:

Failed file deletion operations in C:\AdwCleaner\Logs\
Unexpected symbolic link creation in AdwCleaner directories
Process execution with unexpected parent-child relationships involving AdwCleaner

Network Indicators:

No network indicators - this is a local privilege escalation

SIEM Query:

EventID=4663 AND ObjectName="C:\\AdwCleaner\\Logs\\*" AND AccessMask="0x10000" | OR | Process creation where ParentImage contains "AdwCleaner" and CommandLine contains unusual parameters

📊 Metadata

CVE ID: CVE-2023-28892

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-59

Published: March 29, 2023

Last Updated: November 21, 2024

🔗 References

https://forums.malwarebytes.com/topic/307429-release-adwcleaner-841/
https://malwarebytes.com Product
https://www.malwarebytes.com/secure/cves/cve-2023-28892 Vendor Advisory
https://forums.malwarebytes.com/topic/307429-release-adwcleaner-841/
https://malwarebytes.com Product
https://www.malwarebytes.com/secure/cves/cve-2023-28892 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-28892, you might also want to check these: