CVE-2024-48292
📋 TL;DR
This vulnerability in QuickHeal Antivirus allows authenticated attackers to escalate privileges through the wssrvc.exe service. Attackers with standard user access can gain SYSTEM-level privileges, potentially taking full control of affected systems. Users of QuickHeal Antivirus Pro and Total Security version 24.0 are affected.
💻 Affected Systems
- QuickHeal Antivirus Pro
- Quick Heal Total Security
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling installation of persistent malware, credential theft, lateral movement, and data exfiltration.
Likely Case
Local privilege escalation allowing attackers to bypass security controls, disable antivirus protection, and install additional malicious software.
If Mitigated
Limited impact if proper network segmentation, least privilege principles, and endpoint detection are implemented.
🎯 Exploit Status
Exploit requires authenticated access but is relatively simple to execute once initial access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: Not available
Restart Required: No
Instructions:
1. Check QuickHeal website for security updates
2. Update to latest version if available
3. Monitor vendor communications for patch release
🔧 Temporary Workarounds
Disable wssrvc.exe service
windowsStop and disable the vulnerable service to prevent exploitation
sc stop wssrvc
sc config wssrvc start= disabled
Remove QuickHeal software
windowsUninstall affected QuickHeal products and replace with alternative antivirus solution
Control Panel > Programs > Uninstall a program > Select QuickHeal > Uninstall
🧯 If You Can't Patch
- Implement strict least privilege access controls to limit initial compromise opportunities
- Deploy endpoint detection and response (EDR) solutions to monitor for privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check QuickHeal version in program interface or via 'wmic product get name,version' for QuickHeal entries showing version 24.0Check Version:
wmic product where "name like '%QuickHeal%'" get name,versionVerify Fix Applied:
Verify wssrvc.exe service is stopped/disabled via 'sc query wssrvc' or check for updated QuickHeal version📡 Detection & Monitoring
Log Indicators:
- Unusual wssrvc.exe process behavior
- Privilege escalation attempts in security logs
- Suspicious service manipulation events
Network Indicators:
- Not applicable - local privilege escalation
SIEM Query:
EventID=4688 AND ProcessName='wssrvc.exe' AND NewProcessName contains 'cmd.exe' OR 'powershell.exe'