CVE-2025-13818
📋 TL;DR
This vulnerability allows local attackers to escalate privileges by exploiting insecure temporary batch file execution in ESET Management Agent. Attackers can execute arbitrary code with SYSTEM privileges by manipulating batch files created during agent operations. Organizations using ESET Management Agent for Windows are affected.
💻 Affected Systems
- ESET Management Agent for Windows
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling installation of persistent malware, credential theft, and lateral movement across the network.
Likely Case
Local privilege escalation from standard user to SYSTEM, allowing attackers to disable security controls, install backdoors, or access sensitive system resources.
If Mitigated
Limited impact if proper endpoint security controls and least privilege principles are enforced, though SYSTEM access would still be possible.
🎯 Exploit Status
Exploitation requires local access to the system and knowledge of the vulnerable batch file creation process. No public exploit code is currently available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.1.1286.0
Restart Required: Yes
Instructions:
1. Update ESET Management Agent to version 10.1.1286.0 or later through ESET PROTECT console. 2. Alternatively, download the latest agent installer from ESET website. 3. Deploy the update to all affected systems. 4. Restart systems after installation.
🔧 Temporary Workarounds
Restrict batch file execution
windowsUse Group Policy or AppLocker to restrict batch file execution from temporary directories
AppLocker policy: Deny execution of *.bat, *.cmd from %TEMP% and %TMP% directories
Remove vulnerable agent
windowsUninstall ESET Management Agent if not required
msiexec /x {ESET Management Agent Product Code} /qn
🧯 If You Can't Patch
- Implement strict least privilege principles to limit standard user capabilities
- Monitor for suspicious batch file creation and execution in temporary directories
🔍 How to Verify
Check if Vulnerable:
Check ESET Management Agent version: Open ESET Management Agent tray icon → About, or check registry: HKEY_LOCAL_MACHINE\SOFTWARE\ESET\ESET Security\CurrentVersion\Info\ProductVersionCheck Version:
reg query "HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Info" /v ProductVersionVerify Fix Applied:
Verify version is 10.1.1286.0 or higher using the same methods above📡 Detection & Monitoring
Log Indicators:
- Unusual batch file creation in temporary directories by ESET processes
- Process execution from temporary directories with SYSTEM privileges
Network Indicators:
- Unusual outbound connections from systems after local privilege escalation
SIEM Query:
Process Creation where (Image contains '.bat' OR Image contains '.cmd') AND (ProcessCommandLine contains '%TEMP%' OR ProcessCommandLine contains '%TMP%') AND ParentImage contains 'ESET'