CVE-2025-14494
📋 TL;DR
This vulnerability in RealDefense SUPERAntiSpyware allows local attackers to escalate privileges from low-privileged user accounts to SYSTEM level. Attackers must first gain initial access to execute code on the target system. All installations of the affected software are vulnerable.
💻 Affected Systems
- RealDefense SUPERAntiSpyware
📦 What is this software?
Superantispyware by Superantispyware
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling installation of persistent malware, credential theft, and lateral movement across the network.
Likely Case
Local privilege escalation leading to persistence mechanisms, credential dumping, and installation of additional malicious tools.
If Mitigated
Limited impact if proper endpoint protection, least privilege principles, and network segmentation are in place.
🎯 Exploit Status
Exploitation requires local access and ability to execute low-privileged code first. The exposed dangerous function makes exploitation straightforward once initial access is achieved.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified in advisory
Vendor Advisory: https://www.zerodayinitiative.com/advisories/ZDI-25-1163/
Restart Required: Yes
Instructions:
1. Check for updates in SUPERAntiSpyware. 2. Install the latest version. 3. Restart the system to ensure the SAS Core Service is updated.
🔧 Temporary Workarounds
Remove SUPERAntiSpyware
windowsUninstall the vulnerable software if not required
Control Panel > Programs > Uninstall a program > Select SUPERAntiSpyware > Uninstall
Restrict Service Permissions
windowsLimit who can interact with the SAS Core Service
sc.exe sdset "SAS Core Service" D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)
🧯 If You Can't Patch
- Implement strict least privilege principles to limit local user access
- Deploy endpoint detection and response (EDR) to monitor for privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check SUPERAntiSpyware version and verify if SAS Core Service is running. Vulnerable if using affected versions.Check Version:
Check SUPERAntiSpyware About dialog or examine program files version informationVerify Fix Applied:
Verify SUPERAntiSpyware is updated to latest version and restart system. Check that SAS Core Service is running updated version.📡 Detection & Monitoring
Log Indicators:
- Unusual process creation from SUPERAntiSpyware directories
- SAS Core Service spawning unexpected child processes
- Privilege escalation events in Windows Security logs
Network Indicators:
- None - local exploitation only
SIEM Query:
Process Creation where (Image contains 'SUPERAntiSpyware' OR ParentImage contains 'SUPERAntiSpyware') AND IntegrityLevel changed