CVE-2025-14495
📋 TL;DR
This vulnerability allows local attackers to escalate privileges from a low-privileged account to SYSTEM on systems running RealDefense SUPERAntiSpyware. The flaw exists in the SAS Core Service where an exposed dangerous function can be exploited. Users of SUPERAntiSpyware are affected if they haven't applied the vendor patch.
💻 Affected Systems
- RealDefense SUPERAntiSpyware
📦 What is this software?
Superantispyware by Superantispyware
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, allowing installation of persistent malware, credential theft, and disabling of security controls.
Likely Case
Local privilege escalation leading to lateral movement within the network, data exfiltration, and establishment of persistence mechanisms.
If Mitigated
Limited impact if proper endpoint protection, least privilege principles, and network segmentation are in place.
🎯 Exploit Status
Exploitation requires local access and ability to execute low-privileged code first. The vulnerability is in an exposed dangerous function which typically means straightforward exploitation once initial access is achieved.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific patched version
Vendor Advisory: https://www.realdefense.com/security-advisory
Restart Required: Yes
Instructions:
1. Visit RealDefense SUPERAntiSpyware official website
2. Download and install the latest version
3. Restart the system to ensure service updates take effect
4. Verify the SAS Core Service is running the updated version
🔧 Temporary Workarounds
Disable SUPERAntiSpyware Service
windowsTemporarily disable the vulnerable SAS Core Service to prevent exploitation
sc stop "SAS Core Service"
sc config "SAS Core Service" start= disabled
Remove Local User Privileges
windowsApply strict least privilege to limit local user accounts that could be used for initial access
🧯 If You Can't Patch
- Uninstall SUPERAntiSpyware if not critically needed
- Implement application control policies to block execution of unauthorized binaries
🔍 How to Verify
Check if Vulnerable:
Check SUPERAntiSpyware version and compare against vendor's patched version announcementCheck Version:
Check SUPERAntiSpyware About dialog or examine installed programs in Control PanelVerify Fix Applied:
Verify SUPERAntiSpyware is updated to latest version and SAS Core Service is running📡 Detection & Monitoring
Log Indicators:
- Unusual process creation from SUPERAntiSpyware service context
- SAS Core Service spawning unexpected child processes
- Privilege escalation attempts in Windows Security logs
Network Indicators:
- Lateral movement from previously compromised hosts
- Unexpected outbound connections from systems with SUPERAntiSpyware
SIEM Query:
EventID=4688 AND NewProcessName="*\system32\*" AND ParentProcessName="*\SAS Core Service*"