CVE-2025-1367 – A critical buffer overflow vulnerability exists... (How to Fix)

Q: What is the severity of CVE-2025-1367?

CVE-2025-1367 has a CVSS score of 5.3 (MEDIUM). A critical buffer overflow vulnerability exists in MicroWord eScan Antivirus 7.0.32 on Linux within the USB Password Handler component. This allows local attackers to execute arbitrary code or crash the application by exploiting improper bounds checking in the sprintf function. Only Linux systems running this specific antivirus version are affected.

📋 TL;DR

A critical buffer overflow vulnerability exists in MicroWord eScan Antivirus 7.0.32 on Linux within the USB Password Handler component. This allows local attackers to execute arbitrary code or crash the application by exploiting improper bounds checking in the sprintf function. Only Linux systems running this specific antivirus version are affected.

💻 Affected Systems

Products:

MicroWord eScan Antivirus

Versions: 7.0.32

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the USB Password Handler component. Requires local access to trigger.

📦 What is this software?

Escan Anti Virus by Escanav

View all CVEs affecting Escan Anti Virus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local privilege escalation leading to full system compromise, data theft, or persistent malware installation.

🟠

Likely Case

Application crash (denial of service) or limited code execution within the antivirus context.

🟢

If Mitigated

Minimal impact if proper access controls prevent local attackers from reaching the vulnerable component.

🌐 Internet-Facing: LOW - Attack requires local access, not remotely exploitable.

🏢 Internal Only: HIGH - Local attackers (including malicious insiders or compromised accounts) can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit details are publicly available in GitHub references. Requires local user access but no authentication to the vulnerable component.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None - vendor did not respond to disclosure

Restart Required: Yes

Instructions:

1. Check vendor website for updates. 2. If no patch available, consider alternative antivirus solutions. 3. Uninstall eScan Antivirus 7.0.32 if patching is not possible.

🔧 Temporary Workarounds

Disable USB Password Handler

linux

Temporarily disable or remove the vulnerable USB Password Handler component

sudo systemctl stop escan-usb-protection
sudo systemctl disable escan-usb-protection

Restrict Local Access

linux

Implement strict access controls to prevent unauthorized local users from interacting with the antivirus

sudo chmod 750 /opt/escan/*
sudo chown root:root /opt/escan/*

🧯 If You Can't Patch

Uninstall eScan Antivirus 7.0.32 and replace with alternative security software
Implement strict user access controls and monitor for suspicious local activity

🔍 How to Verify

Check if Vulnerable:

Check installed version: dpkg -l | grep escan or rpm -qa | grep escan. If version is 7.0.32, system is vulnerable.

Check Version:

dpkg -l | grep escan || rpm -qa | grep escan || find /opt -name "escan" -type d

Verify Fix Applied:

Verify version is no longer 7.0.32. Check that USB protection service is disabled: systemctl status escan-usb-protection

📡 Detection & Monitoring

Log Indicators:

Crash logs from escan processes
Unusual process spawning from escan binaries
Buffer overflow warnings in system logs

Network Indicators:

None - this is a local vulnerability

SIEM Query:

Process:name="escan" AND (EventID:1000 OR EventID:1001) OR CommandLine:"sprintf" AND ParentImage:"escan"

📊 Metadata

CVE ID: CVE-2025-1367

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-119

EPSS Score: 0.01% exploit probability (1.9th percentile)

Published: February 17, 2025

Last Updated: June 27, 2025

🔗 References

https://github.com/dmknght/FIS_RnD/blob/main/escan_av_usb_protection_multiple_vulns.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.295971 Permissions Required,Third Party Advisory,VDB Entry
https://vuldb.com/?id.295971 Third Party Advisory,VDB Entry
https://github.com/dmknght/FIS_RnD/blob/main/escan_av_usb_protection_multiple_vulns.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-1367, you might also want to check these: