Login Sign Up

CVE-2023-29485

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

This vulnerability in Heimdal Thor agent allows attackers to bypass network filtering, execute arbitrary code, and obtain sensitive information through the DarkLayer Guard threat prevention module. It affects Heimdal Thor agent versions 3.4.2 and earlier on Windows and 2.6.9 and earlier on macOS. Heimdal disputes the validity, stating their product wasn't designed to intercept DNS requests from third-party solutions.

💻 Affected Systems

Products:
  • Heimdal Thor agent
Versions: Windows: ≤3.4.2, macOS: ≤2.6.9
Operating Systems: Windows, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: Heimdal disputes the vulnerability, claiming their product wasn't designed to intercept third-party DNS requests. The DarkLayer Guard module must be enabled.

📦 What is this software?

Thor by Heimdalsecurity

View all CVEs affecting Thor →

Thor by Heimdalsecurity

View all CVEs affecting Thor →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with arbitrary code execution, data exfiltration, and persistent network access bypassing security controls.

🟠

Likely Case

Network filtering bypass allowing unauthorized communication and potential data leakage through DNS channels.

🟢

If Mitigated

Limited impact with proper network segmentation and additional DNS filtering controls in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires local access or ability to execute code on the endpoint. Public technical details available in referenced Medium articles.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Windows: >3.4.2, macOS: >2.6.9

Vendor Advisory: Not provided in CVE details

Restart Required: Yes

Instructions:

1. Update Heimdal Thor agent to latest version. 2. Restart affected systems. 3. Verify DarkLayer Guard module is functioning correctly.

🔧 Temporary Workarounds

Disable DarkLayer Guard module

windows

Temporarily disable the vulnerable threat prevention module

Specific commands not provided in CVE details

Implement external DNS filtering

all

Use network-level DNS filtering as additional protection layer

🧯 If You Can't Patch

  • Implement strict network segmentation to limit lateral movement
  • Deploy additional endpoint detection and response (EDR) solutions

🔍 How to Verify

Check if Vulnerable:

Check Heimdal Thor agent version: Windows: ≤3.4.2, macOS: ≤2.6.9

Check Version:

Windows: Check Heimdal Thor agent in Control Panel > Programs. macOS: Check application version in About dialog.

Verify Fix Applied:

Verify agent version is updated beyond vulnerable versions and DarkLayer Guard is functioning

📡 Detection & Monitoring

Log Indicators:

  • Unusual DNS query patterns
  • DarkLayer Guard module failures
  • Unexpected process execution

Network Indicators:

  • DNS tunneling attempts
  • Unusual outbound DNS traffic patterns

SIEM Query:

Not provided in CVE details

📊 Metadata

CVE ID: CVE-2023-29485
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-306
Published: December 21, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-29485, you might also want to check these:

CVE-2025-32433 10.0

This CVE describes a critical vulnerability in Erlang/OTP's SSH server that allows unauthenticated r...

Same vulnerability type (CWE-306)
CVE-2026-23693 10.0

The ElementsKit Lite WordPress plugin versions before 3.7.9 expose an unauthenticated REST endpoint ...

Same vulnerability type (CWE-306)
CVE-2025-58083 10.0

The General Industrial Controls Lynx+ Gateway has a critical authentication bypass vulnerability in ...

Same vulnerability type (CWE-306)