CVE-2025-14497
📋 TL;DR
This vulnerability allows local attackers with low-privileged access to escalate privileges to SYSTEM level by exploiting an exposed dangerous function in RealDefense SUPERAntiSpyware's SAS Core Service. Affected users are those running vulnerable versions of SUPERAntiSpyware on Windows systems.
💻 Affected Systems
- RealDefense SUPERAntiSpyware
📦 What is this software?
Superantispyware by Superantispyware
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains full SYSTEM privileges, enabling complete system compromise, data theft, persistence establishment, and lateral movement across the network.
Likely Case
Local attacker with initial access (malware, compromised user account) escalates to SYSTEM to install additional malware, steal credentials, or bypass security controls.
If Mitigated
With proper endpoint protection and least privilege principles, impact is limited to isolated systems with containment preventing lateral movement.
🎯 Exploit Status
Requires local code execution first. ZDI-CAN-27680 suggests the vulnerability is well-documented and likely exploitable with moderate effort.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to latest version (check vendor advisory for specific version)
Vendor Advisory: https://www.realdefense.com/security-advisory (check for specific advisory)
Restart Required: Yes
Instructions:
1. Open SUPERAntiSpyware. 2. Check for updates via the program interface. 3. Download and install the latest version. 4. Restart the system to ensure the SAS Core Service is updated.
🔧 Temporary Workarounds
Disable SAS Core Service
windowsTemporarily disable the vulnerable service to prevent exploitation (will break SUPERAntiSpyware functionality)
sc stop "SAS Core Service"
sc config "SAS Core Service" start= disabled
Remove SUPERAntiSpyware
windowsUninstall the software if not essential
appwiz.cpl (then uninstall SUPERAntiSpyware)
🧯 If You Can't Patch
- Implement strict least privilege policies to limit initial access vectors
- Deploy endpoint detection and response (EDR) to monitor for privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check SUPERAntiSpyware version and compare with vendor's patched version. Also verify if SAS Core Service is running.Check Version:
Check program version in SUPERAntiSpyware interface or via Windows Programs and FeaturesVerify Fix Applied:
Confirm SUPERAntiSpyware is updated to the latest version and restart the system. Verify the SAS Core Service version has changed.📡 Detection & Monitoring
Log Indicators:
- Unexpected SYSTEM privilege processes spawned from user context
- SAS Core Service unusual activity or crashes
- Windows Event Logs showing privilege escalation
Network Indicators:
- None - local exploitation only
SIEM Query:
Process creation where parent process is in user space and child process runs as SYSTEM, focusing on SAS Core Service interactions