CVE-2025-13032
📋 TL;DR
A double fetch vulnerability in the sandbox kernel driver of Avast/AVG Antivirus on Windows allows local attackers to escalate privileges via pool overflow. This affects users running Avast or AVG Antivirus versions below 25.3 on Windows systems. Attackers can gain SYSTEM-level privileges from a lower-privileged local account.
💻 Affected Systems
- Avast Antivirus
- AVG Antivirus
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains full SYSTEM privileges, enabling complete system compromise, data theft, malware persistence, and disabling of security controls.
Likely Case
Local attacker escalates to SYSTEM privileges to install malware, steal credentials, or bypass security software.
If Mitigated
Attack fails due to patch deployment, restricted local access, or security controls preventing kernel exploitation.
🎯 Exploit Status
Requires local access and knowledge of kernel exploitation techniques. Double fetch vulnerabilities involve race conditions between user-space and kernel-space memory access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 25.3 or later
Vendor Advisory: https://www.gendigital.com/us/en/contact-us/security-advisories/
Restart Required: Yes
Instructions:
1. Open Avast/AVG Antivirus. 2. Go to Settings > Update > Program. 3. Click 'Update' to install latest version. 4. Restart computer when prompted.
🔧 Temporary Workarounds
Disable vulnerable driver
windowsTemporarily disable the sandbox kernel driver to prevent exploitation (will reduce security functionality)
sc stop aswSP
sc config aswSP start= disabled
Restrict local access
allImplement strict local access controls and monitor for suspicious local privilege escalation attempts
🧯 If You Can't Patch
- Implement strict principle of least privilege for all user accounts
- Monitor for suspicious kernel driver activity and local privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check Avast/AVG version in Settings > About. If version is below 25.3, system is vulnerable.Check Version:
wmic product where "name like '%Avast%' or name like '%AVG%'" get name, versionVerify Fix Applied:
Verify version is 25.3 or higher in Settings > About. Check that aswSP service is running normally.📡 Detection & Monitoring
Log Indicators:
- Kernel driver crashes (Event ID 1001)
- Unexpected privilege escalation events
- Suspicious access to kernel memory
Network Indicators:
- None - this is a local exploit
SIEM Query:
EventID=1001 AND Source="Windows Error Reporting" AND Description contains "aswSP" OR ProcessName contains "Avast" AND NewIntegrityLevel="System"