CVE-2025-14488
📋 TL;DR
This vulnerability in RealDefense SUPERAntiSpyware allows local attackers to escalate privileges from low-privileged user accounts to SYSTEM level access. Attackers must first gain execution capability on the target system, then exploit an exposed dangerous function in the SAS Core Service. All installations of SUPERAntiSpyware with the vulnerable component are affected.
💻 Affected Systems
- RealDefense SUPERAntiSpyware
📦 What is this software?
Superantispyware by Superantispyware
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling installation of persistent malware, credential theft, lateral movement, and disabling of security controls.
Likely Case
Local privilege escalation leading to persistence establishment, credential harvesting, and installation of additional payloads on compromised systems.
If Mitigated
Limited impact if proper endpoint protection, least privilege principles, and network segmentation are implemented to contain lateral movement.
🎯 Exploit Status
Requires local code execution first; exploitation likely straightforward once initial access achieved
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific patched version
Vendor Advisory: https://www.zerodayinitiative.com/advisories/ZDI-25-1167/
Restart Required: Yes
Instructions:
1. Check current SUPERAntiSpyware version
2. Visit vendor website for latest version
3. Download and install update
4. Restart system to ensure service updates
🔧 Temporary Workarounds
Disable SUPERAntiSpyware Service
windowsTemporarily disable the vulnerable SAS Core Service to prevent exploitation
sc stop "SAS Core Service"
sc config "SAS Core Service" start= disabled
Remove Local User Privileges
windowsApply strict least privilege to limit local user code execution capabilities
🧯 If You Can't Patch
- Uninstall SUPERAntiSpyware if not essential for security operations
- Implement application control policies to prevent unauthorized local code execution
🔍 How to Verify
Check if Vulnerable:
Check if SUPERAntiSpyware is installed and running SAS Core Service; review version against vendor advisoryCheck Version:
Check program version in Control Panel > Programs or run SUPERAntiSpyware and check About sectionVerify Fix Applied:
Verify SUPERAntiSpyware is updated to patched version and service is running without privilege escalation attempts📡 Detection & Monitoring
Log Indicators:
- Unusual service control operations on SAS Core Service
- Process creation with SYSTEM privileges from user contexts
- Failed privilege escalation attempts in security logs
Network Indicators:
- Lateral movement attempts following local compromise
- Unexpected outbound connections from SYSTEM context
SIEM Query:
EventID=4688 AND NewProcessName="*" AND SubjectUserName!="SYSTEM" AND TokenElevationType="%%1938"