CVE-2025-14492
📋 TL;DR
This vulnerability in RealDefense SUPERAntiSpyware allows local attackers to escalate privileges from low-privileged user accounts to SYSTEM level. Attackers must first gain execution capability on the target system, then exploit an exposed dangerous function in the SAS Core Service. All installations of the affected software are vulnerable.
💻 Affected Systems
- RealDefense SUPERAntiSpyware
📦 What is this software?
Superantispyware by Superantispyware
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling installation of persistent malware, credential theft, and lateral movement across the network.
Likely Case
Local privilege escalation allowing attackers to bypass security controls, install additional malware, and maintain persistence on compromised systems.
If Mitigated
Limited impact if proper endpoint protection, least privilege principles, and network segmentation are implemented.
🎯 Exploit Status
Exploitation requires local access and ability to execute code, but the privilege escalation mechanism appears straightforward once initial access is achieved.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific patched version
Vendor Advisory: https://www.realdefense.com/security-advisories
Restart Required: Yes
Instructions:
1. Open SUPERAntiSpyware
2. Navigate to Help > Check for Updates
3. Install available updates
4. Restart the system to ensure service updates are applied
🔧 Temporary Workarounds
Disable SUPERAntiSpyware Service
windowsTemporarily disable the vulnerable SAS Core Service to prevent exploitation
sc stop "SAS Core Service"
sc config "SAS Core Service" start= disabled
Remove Local User Privileges
windowsImplement strict least privilege to limit initial attack surface
🧯 If You Can't Patch
- Uninstall SUPERAntiSpyware if not critically needed
- Implement application control policies to prevent unauthorized execution
🔍 How to Verify
Check if Vulnerable:
Check if SUPERAntiSpyware is installed and running the SAS Core ServiceCheck Version:
Check SUPERAntiSpyware About dialog or examine installed programs in Control PanelVerify Fix Applied:
Verify SUPERAntiSpyware is updated to latest version and service is restarted📡 Detection & Monitoring
Log Indicators:
- Unusual service control operations on SAS Core Service
- Process creation with SYSTEM privileges from non-admin accounts
- Event ID 4688 with elevated privileges
Network Indicators:
- No specific network indicators as this is local exploitation
SIEM Query:
Process Creation where Parent Process includes SUPERAntiSpyware AND Integrity Level changes to SYSTEM