CVE-2024-2003
📋 TL;DR
This CVE describes a local privilege escalation vulnerability in ESET security products where an attacker can misuse file operations during quarantine restore to gain elevated privileges. It affects ESET users with vulnerable versions installed. The attacker must have local access to the system to exploit this vulnerability.
💻 Affected Systems
- ESET Endpoint Antivirus
- ESET Endpoint Security
- ESET Server Security
- ESET File Security
- ESET Mail Security
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker with local access gains SYSTEM/root privileges, enabling complete system compromise, data theft, malware persistence, and lateral movement.
Likely Case
Local user or malware with limited privileges escalates to administrative rights, allowing installation of additional malware, disabling security controls, or accessing sensitive data.
If Mitigated
With proper access controls and least privilege principles, impact is limited to the compromised user account without system-wide compromise.
🎯 Exploit Status
Exploitation requires local access and knowledge of the vulnerability. No public exploit code is currently available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 11.1.12.0 or later
Vendor Advisory: https://support.eset.com/ca8674
Restart Required: Yes
Instructions:
1. Open ESET product. 2. Navigate to Help and Support > Check for updates. 3. Install available updates. 4. Restart the computer when prompted.
🔧 Temporary Workarounds
Disable quarantine restore for non-admins
windowsConfigure ESET to restrict quarantine restore operations to administrators only
Implement least privilege access
allEnsure users operate with minimal necessary privileges to limit impact if exploited
🧯 If You Can't Patch
- Implement strict access controls and limit local administrative privileges
- Monitor for suspicious file operations in ESET quarantine directories
🔍 How to Verify
Check if Vulnerable:
Check ESET product version in the application interface or via 'eset_ver' command in ESET command-line toolsCheck Version:
Open ESET GUI > Help and Support > About, or run 'eset_ver' from command lineVerify Fix Applied:
Verify ESET version is 11.1.12.0 or higher and check that quarantine restore operations function normally📡 Detection & Monitoring
Log Indicators:
- Unusual quarantine restore operations
- Multiple failed restore attempts
- Restore operations from non-admin accounts
Network Indicators:
- None - this is a local vulnerability
SIEM Query:
EventID from ESET logs showing quarantine restore operations from non-privileged accounts