CVE-2025-14490
📋 TL;DR
This vulnerability in RealDefense SUPERAntiSpyware allows local attackers who already have low-privileged access to escalate to SYSTEM privileges by exploiting an exposed dangerous function in the SAS Core Service. Affected users are those running vulnerable versions of SUPERAntiSpyware on Windows systems.
💻 Affected Systems
- RealDefense SUPERAntiSpyware
📦 What is this software?
Superantispyware by Superantispyware
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM-level code execution, enabling attackers to install persistent malware, steal credentials, disable security controls, and maintain persistent access.
Likely Case
Local privilege escalation from a standard user account to SYSTEM, allowing attackers to bypass security restrictions, install additional malware, or access protected system resources.
If Mitigated
Limited impact if proper endpoint protection, least privilege principles, and application control are enforced, though the vulnerability still provides a path for privilege escalation.
🎯 Exploit Status
Exploitation requires local access and ability to execute code as a low-privileged user first; the exposed dangerous function makes exploitation straightforward once initial access is achieved
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified in available references
Vendor Advisory: https://www.zerodayinitiative.com/advisories/ZDI-25-1166/
Restart Required: Yes
Instructions:
1. Check for updates in SUPERAntiSpyware
2. Install the latest version from official RealDefense sources
3. Restart the system to ensure the SAS Core Service is updated
🔧 Temporary Workarounds
Disable or Remove SUPERAntiSpyware
windowsUninstall or disable the vulnerable software if not essential
Control Panel > Programs > Uninstall a program > Select SUPERAntiSpyware > Uninstall
Restrict Service Permissions
windowsModify SAS Core Service permissions to prevent low-privileged users from interacting with it
sc.exe sdset SASCoreService D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)
🧯 If You Can't Patch
- Implement strict application control policies to prevent unauthorized software execution
- Enforce least privilege principles and segment user accounts to limit lateral movement
🔍 How to Verify
Check if Vulnerable:
Check SUPERAntiSpyware version and compare against vendor's patched version announcementCheck Version:
Check SUPERAntiSpyware About dialog or examine installed programs listVerify Fix Applied:
Verify the SAS Core Service version has been updated and test privilege escalation attempts fail📡 Detection & Monitoring
Log Indicators:
- Unusual process creation from SAS Core Service
- Privilege escalation attempts involving SUPERAntiSpyware processes
- Suspicious service control manager events
Network Indicators:
- Not applicable - local privilege escalation only
SIEM Query:
Process Creation where Parent Process Name contains 'SAS' OR Service Control Manager events related to 'SAS Core Service'