CVE-2025-0798 – This critical vulnerability in MicroWorld eScan... (How to Fix)

📋 TL;DR

This critical vulnerability in MicroWorld eScan Antivirus allows remote attackers to execute arbitrary operating system commands through command injection in the quarantine handler component. It affects Linux systems running eScan Antivirus version 7.0.32. The vulnerability is remotely exploitable but requires specific conditions to be met.

💻 Affected Systems

Products:

MicroWorld eScan Antivirus

Versions: 7.0.32

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the Linux version. Requires the rtscanner quarantine handler component to be active.

📦 What is this software?

Escan Anti Virus by Escanav

View all CVEs affecting Escan Anti Virus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with root privileges, allowing attackers to install malware, exfiltrate data, or pivot to other systems.

🟠

Likely Case

Limited command execution within the antivirus service context, potentially leading to privilege escalation and lateral movement.

🟢

If Mitigated

Contained impact with antivirus service running in restricted environment, limiting damage to isolated processes.

🌐 Internet-Facing: MEDIUM - Requires specific conditions and antivirus interaction, not directly exposed like web services.

🏢 Internal Only: HIGH - Internal attackers or compromised systems could exploit this to gain elevated privileges and move laterally.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploit details are publicly available but require specific conditions. Attack complexity is rated high by the CVE description.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: UNKNOWN

Vendor Advisory: NONE

Restart Required: No

Instructions:

1. Check vendor website for security updates
2. Monitor for official patch release
3. Vendor has not responded to disclosure

🔧 Temporary Workarounds

Disable Quarantine Handler

linux

Temporarily disable the vulnerable rtscanner quarantine handler component

systemctl stop escan-rtscanner
systemctl disable escan-rtscanner

Restrict Network Access

linux

Limit network access to the antivirus management interface

iptables -A INPUT -p tcp --dport [escan-port] -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to isolate affected systems
Monitor for suspicious process execution and command injection attempts

🔍 How to Verify

Check if Vulnerable:

Check if eScan Antivirus version 7.0.32 is installed: rpm -qa | grep escan

Check Version:

escan --version | grep 'Version'

Verify Fix Applied:

Verify version is updated beyond 7.0.32 or quarantine handler is disabled

📡 Detection & Monitoring

Log Indicators:

Unusual command execution from escan processes
Failed quarantine operations
Suspicious process spawning

Network Indicators:

Unexpected outbound connections from antivirus service
Command and control traffic

SIEM Query:

process_name:escan AND (cmdline:*sh* OR cmdline:*bash* OR cmdline:*python*)

📊 Metadata

CVE ID: CVE-2025-0798

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

EPSS Score: 2.38% exploit probability (84.7th percentile)

Published: January 29, 2025

Last Updated: October 9, 2025

🔗 References

https://github.com/dmknght/FIS_RnD/blob/main/escan_rtscanner_rce.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.293921 Permissions Required,VDB Entry
https://vuldb.com/?id.293921 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.484718 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-0798, you might also want to check these: