CVE-2025-14493
📋 TL;DR
This vulnerability in RealDefense SUPERAntiSpyware allows local attackers to escalate privileges from low-privileged user accounts to SYSTEM-level access. Attackers must first gain execution capability on the target system, then exploit an exposed dangerous function in the SAS Core Service. All installations of the affected software are vulnerable.
💻 Affected Systems
- RealDefense SUPERAntiSpyware
📦 What is this software?
Superantispyware by Superantispyware
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling installation of persistent malware, credential theft, lateral movement, and data exfiltration.
Likely Case
Local privilege escalation allowing attackers to bypass security controls, install additional malware, and maintain persistence on compromised systems.
If Mitigated
Limited impact if proper endpoint protection, least privilege principles, and network segmentation are implemented.
🎯 Exploit Status
Exploitation requires local access and ability to execute code. ZDI has confirmed the vulnerability and exploitation appears straightforward once initial access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific patched version
Vendor Advisory: https://www.realdefense.com/security-advisories
Restart Required: Yes
Instructions:
1. Check current SUPERAntiSpyware version
2. Visit RealDefense website for latest updates
3. Download and install the latest version
4. Restart system to ensure service updates apply
🔧 Temporary Workarounds
Disable SUPERAntiSpyware Service
windowsTemporarily disable the SAS Core Service to prevent exploitation
sc stop "SAS Core Service"
sc config "SAS Core Service" start= disabled
Remove Local User Privileges
windowsImplement strict least privilege to limit initial attack surface
🧯 If You Can't Patch
- Uninstall SUPERAntiSpyware if not essential
- Implement application control to block unauthorized execution
🔍 How to Verify
Check if Vulnerable:
Check if SUPERAntiSpyware is installed and SAS Core Service is running via 'sc query "SAS Core Service"'Check Version:
Check program version in Control Panel > Programs and Features or via SUPERAntiSpyware interfaceVerify Fix Applied:
Verify installed version matches or exceeds patched version from vendor advisory📡 Detection & Monitoring
Log Indicators:
- Unusual service control operations on SAS Core Service
- Process creation with SYSTEM privileges from non-admin accounts
- Suspicious DLL loading in SUPERAntiSpyware processes
Network Indicators:
- Not applicable - local exploitation only
SIEM Query:
EventID=4688 AND NewProcessName LIKE '%SYSTEM%' AND SubjectUserName NOT IN ('SYSTEM', 'LOCAL SERVICE', 'NETWORK SERVICE')