CVE-2025-14491
📋 TL;DR
This vulnerability in RealDefense SUPERAntiSpyware allows local attackers to escalate privileges from low-privileged user accounts to SYSTEM-level access. Attackers must first gain initial access to execute code on the target system. All installations of SUPERAntiSpyware with the vulnerable SAS Core Service are affected.
💻 Affected Systems
- RealDefense SUPERAntiSpyware
📦 What is this software?
Superantispyware by Superantispyware
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling installation of persistent malware, credential theft, lateral movement, and data exfiltration.
Likely Case
Local privilege escalation allowing attackers to bypass security controls, install additional malware, and maintain persistence on compromised systems.
If Mitigated
Limited impact if proper endpoint protection, least privilege principles, and network segmentation are implemented.
🎯 Exploit Status
Exploitation requires local access and ability to execute code. The exposed dangerous function makes exploitation straightforward once initial access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific patched version
Vendor Advisory: https://www.realdefense.com/security-advisory
Restart Required: Yes
Instructions:
1. Check current SUPERAntiSpyware version
2. Visit RealDefense website for security updates
3. Download and install latest version
4. Restart system to ensure service updates apply
🔧 Temporary Workarounds
Disable SUPERAntiSpyware Service
windowsTemporarily disable the SAS Core Service to prevent exploitation
sc stop "SAS Core Service"
sc config "SAS Core Service" start= disabled
Remove Local User Privileges
windowsImplement strict least privilege to limit initial access vectors
🧯 If You Can't Patch
- Uninstall SUPERAntiSpyware if not essential for security operations
- Implement application control policies to prevent unauthorized execution of low-privileged code
🔍 How to Verify
Check if Vulnerable:
Check if SUPERAntiSpyware is installed and SAS Core Service is running: sc query "SAS Core Service"Check Version:
Check program version in Control Panel > Programs and Features or via vendor's update checkerVerify Fix Applied:
Verify SUPERAntiSpyware is updated to latest version and service is restarted📡 Detection & Monitoring
Log Indicators:
- Unusual service control operations on SAS Core Service
- Process creation with SYSTEM privileges from non-admin users
- Access violations in SUPERAntiSpyware logs
Network Indicators:
- Not applicable - local exploitation only
SIEM Query:
Process Creation where Parent Process includes low-privilege user AND New Process includes SYSTEM privileges AND Process Name includes superantispyware components