CVE-2023-7241
📋 TL;DR
This vulnerability in Webroot Antivirus allows malicious software to abuse the WRSA.EXE process to delete arbitrary and protected files, potentially leading to system instability or data loss. It affects Webroot Antivirus 8.0.1X through 9.0.35.12 on both 32-bit and 64-bit Windows systems.
💻 Affected Systems
- Webroot Antivirus
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through deletion of critical system files, rendering the operating system unbootable or causing permanent data loss.
Likely Case
Malware leveraging this vulnerability to disable security software, delete forensic evidence, or disrupt system operations by removing important files.
If Mitigated
Limited impact if proper endpoint protection and least privilege principles are enforced, though the vulnerability still presents a significant risk.
🎯 Exploit Status
Exploitation requires local access or malware execution on the target system. The vulnerability is in the antivirus software itself, making it particularly dangerous as it bypasses security controls.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.0.35.13 and later
Vendor Advisory: https://answers.webroot.com/Webroot/ukp.aspx?&app=vw&vw=1&login=1&solutionid=4258
Restart Required: Yes
Instructions:
1. Open Webroot SecureAnywhere. 2. Click 'Settings' > 'General'. 3. Click 'Check for Updates'. 4. If update is available, install it. 5. Restart the computer to complete the update.
🔧 Temporary Workarounds
Disable Webroot Service Temporarily
windowsTemporarily disable the Webroot service to prevent exploitation while planning for patching.
sc stop WRSA
sc config WRSA start= disabled
Restrict WRSA.EXE Permissions
windowsApply strict file system permissions to limit what WRSA.EXE can access.
icacls "C:\Program Files\Webroot\WRSA.exe" /deny Everyone:(F)
🧯 If You Can't Patch
- Implement application whitelisting to prevent unauthorized execution of WRSA.EXE or similar processes.
- Deploy additional endpoint detection and response (EDR) solutions to monitor for suspicious file deletion activities.
🔍 How to Verify
Check if Vulnerable:
Check Webroot version in the application interface or via registry: HKEY_LOCAL_MACHINE\SOFTWARE\Webroot\SecureAnywhere\VersionCheck Version:
reg query "HKLM\SOFTWARE\Webroot\SecureAnywhere" /v VersionVerify Fix Applied:
Verify Webroot version is 9.0.35.13 or higher in the application or registry.📡 Detection & Monitoring
Log Indicators:
- Unusual file deletion events by WRSA.EXE process
- Multiple failed file access attempts by WRSA.EXE
- Security software tampering alerts
Network Indicators:
- None - this is a local privilege escalation vulnerability
SIEM Query:
Process Name="WRSA.EXE" AND (EventID=4663 OR EventID=4656) AND Object_Name="*.sys" OR Object_Name="*.dll"🔗 References
- https://answers.webroot.com/Webroot/ukp.aspx?&app=vw&vw=1&login=1&solutionid=4258
- https://www.webroot.com/us/en/business/support/release-notes#heading-endpoint
- https://www.webroot.com/us/en/support/support-consumer-release-notes
- https://answers.webroot.com/Webroot/ukp.aspx?&app=vw&vw=1&login=1&solutionid=4258
- https://www.webroot.com/us/en/business/support/release-notes#heading-endpoint
- https://www.webroot.com/us/en/support/support-consumer-release-notes
