Login Sign Up

CVE-2024-5102

7.0 HIGH

📋 TL;DR

This vulnerability in Avast Antivirus allows low-privileged Windows users to elevate privileges to SYSTEM level by exploiting a race condition in the repair function. Attackers can delete arbitrary files or execute processes with highest system privileges. It affects Avast Antivirus versions before 24.2 on Windows systems.

💻 Affected Systems

Products:
  • Avast Antivirus
Versions: All versions prior to 24.2
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Requires low-privileged user access to the Windows system. The repair feature must be accessible.

📦 What is this software?

Antivirus by Avast

View all CVEs affecting Antivirus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise where attacker gains SYSTEM privileges, can delete critical system files, install persistent malware, or create backdoors.

🟠

Likely Case

Local privilege escalation allowing attackers to bypass security controls, access sensitive data, or disable security software.

🟢

If Mitigated

Limited impact if proper user privilege separation exists and repair function is disabled or monitored.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring local access to the system.
🏢 Internal Only: HIGH - Malicious insiders or compromised user accounts can exploit this to gain full system control.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires local access, knowledge of symlink/junction creation, and winning a race condition.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 24.2 or later

Vendor Advisory: https://support.norton.com/sp/static/external/tools/security-advisories.html

Restart Required: Yes

Instructions:

1. Open Avast Antivirus. 2. Go to Menu → Settings → General → Update. 3. Click 'Check for updates'. 4. Install version 24.2 or later. 5. Restart the computer.

🔧 Temporary Workarounds

Disable Repair Function

windows

Remove access to the repair feature through group policy or permissions

Restrict User Privileges

windows

Implement least privilege principle to limit who can access Avast settings

🧯 If You Can't Patch

  • Implement strict user privilege separation - ensure no users have unnecessary local admin rights
  • Monitor for suspicious file deletion or symlink creation in AppData directories

🔍 How to Verify

Check if Vulnerable:

Check Avast version: Open Avast → Menu → Settings → General → About. If version is below 24.2, system is vulnerable.

Check Version:

wmic product where "name like 'Avast%'" get version

Verify Fix Applied:

Confirm Avast version is 24.2 or higher in About section. Verify repair function no longer creates vulnerable conditions.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file deletion events in AppData directories
  • Multiple repair function invocations by non-admin users
  • Symlink or junction creation in user directories

Network Indicators:

  • None - this is a local privilege escalation

SIEM Query:

EventID=4663 AND ObjectName LIKE '%AppData%' AND AccessMask='0x10000' AND SubjectUserName NOT IN (admin_users)

📊 Metadata

CVE ID: CVE-2024-5102
CVSS v3 Score: 7.0 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-1284
Published: June 10, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-5102, you might also want to check these:

CVE-2024-8887 10.0

CVE-2024-8887 is an authentication bypass vulnerability in CIRCUTOR Q-SMT firmware that allows attac...

Same vulnerability type (CWE-1284)
CVE-2025-55398 9.8

A vulnerability in mouse07410 asn1c through version 0.9.29 allows attackers to bypass INTEGER constr...

Same vulnerability type (CWE-1284)
CVE-2021-31556 9.8

This vulnerability in MediaWiki's OAuth extension allows attackers to cause denial of service or pot...

Same vulnerability type (CWE-1284)