CVE-2025-14489
📋 TL;DR
This vulnerability in RealDefense SUPERAntiSpyware allows local attackers to escalate privileges from low-privileged user accounts to SYSTEM-level access. Attackers must first gain initial access to execute code on the target system. All installations of the affected software are vulnerable to this local privilege escalation.
💻 Affected Systems
- RealDefense SUPERAntiSpyware
📦 What is this software?
Superantispyware by Superantispyware
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM-level privileges, enabling installation of persistent malware, credential theft, lateral movement, and disabling of security controls.
Likely Case
Local privilege escalation allowing attackers to bypass application controls, install additional malware, and maintain persistence on compromised systems.
If Mitigated
Limited impact if proper endpoint protection, least privilege principles, and network segmentation are implemented to contain initial access.
🎯 Exploit Status
Exploitation requires local access and ability to execute low-privileged code first. The exposed dangerous function makes exploitation straightforward once initial access is achieved.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific patched version
Vendor Advisory: https://www.zerodayinitiative.com/advisories/ZDI-25-1165/
Restart Required: Yes
Instructions:
1. Visit RealDefense website or use built-in update feature
2. Download and install latest version
3. Restart system to ensure service updates apply
4. Verify installation of patched version
🔧 Temporary Workarounds
Remove or Disable SUPERAntiSpyware
windowsUninstall the vulnerable software or disable the SAS Core Service
sc config "SAS Core Service" start= disabled
sc stop "SAS Core Service"
Restrict Service Permissions
windowsModify service permissions to prevent low-privileged users from interacting with the service
sc sdset "SAS Core Service" D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)
🧯 If You Can't Patch
- Implement strict least privilege principles to limit initial access vectors
- Deploy application control solutions to prevent unauthorized code execution
🔍 How to Verify
Check if Vulnerable:
Check if SUPERAntiSpyware is installed and running the SAS Core ServiceCheck Version:
wmic product where name="SUPERAntiSpyware" get versionVerify Fix Applied:
Verify software is updated to latest version and service is running patched binaries📡 Detection & Monitoring
Log Indicators:
- Unusual service control operations on SAS Core Service
- Process creation from SAS Core Service with SYSTEM privileges
- Failed privilege escalation attempts
Network Indicators:
- None - this is a local privilege escalation vulnerability
SIEM Query:
EventID=4688 AND NewProcessName="*\SAS Core Service*" AND SubjectUserName NOT IN ("SYSTEM", "LOCAL SERVICE", "NETWORK SERVICE")