CVE-2025-14496
📋 TL;DR
This vulnerability in RealDefense SUPERAntiSpyware allows local attackers to escalate privileges from low-privileged user accounts to SYSTEM-level access. Attackers must first gain execution capability on the target system, then exploit an exposed dangerous function in the SAS Core Service. All installations of the affected software are vulnerable.
💻 Affected Systems
- RealDefense SUPERAntiSpyware
📦 What is this software?
Superantispyware by Superantispyware
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling installation of persistent malware, credential theft, and lateral movement across the network.
Likely Case
Local privilege escalation leading to administrative control of the affected system, data exfiltration, and further exploitation.
If Mitigated
Limited impact if proper endpoint security controls, least privilege principles, and network segmentation are implemented.
🎯 Exploit Status
Exploitation requires local access and low-privileged execution capability first; ZDI has technical details but no public exploit
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific patched version
Vendor Advisory: https://www.realdefense.com/security-advisory
Restart Required: Yes
Instructions:
1. Check RealDefense security advisory for patch details
2. Download latest version from official vendor site
3. Install update following vendor instructions
4. Restart system to ensure service updates apply
🔧 Temporary Workarounds
Disable SAS Core Service
windowsTemporarily disable the vulnerable service to prevent exploitation
sc stop "SAS Core Service"
sc config "SAS Core Service" start= disabled
Remove unnecessary privileges
windowsApply least privilege principles to user accounts
🧯 If You Can't Patch
- Uninstall SUPERAntiSpyware if not essential
- Implement strict endpoint detection and response (EDR) rules to monitor for privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check SUPERAntiSpyware version against vendor advisory; verify SAS Core Service is runningCheck Version:
Check program version in Control Panel > Programs and Features or via vendor-provided version checkVerify Fix Applied:
Confirm software version is updated to patched version; verify service is running with updated binaries📡 Detection & Monitoring
Log Indicators:
- Unexpected process creation with SYSTEM privileges
- SAS Core Service abnormal behavior logs
- Windows Event ID 4688 with elevated privileges
Network Indicators:
- Unusual outbound connections from SYSTEM processes
SIEM Query:
Process Creation where Parent Process contains "SAS" AND Integrity Level changes to System