CVE-2025-29745
📋 TL;DR
This vulnerability in Emsisoft Anti-Malware allows remote attackers to steal Net-NTLMv2 hashes by tricking users into scanning specially crafted A2S files. Affected users are those running Emsisoft Anti-Malware versions prior to 2024.12 who scan files from untrusted sources.
💻 Affected Systems
- Emsisoft Anti-Malware
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain Net-NTLMv2 hashes which can be cracked offline or used in relay attacks to gain unauthorized access to network resources, potentially leading to domain compromise.
Likely Case
Attackers harvest Net-NTLMv2 hashes from users who scan malicious files, enabling credential theft and lateral movement within networks.
If Mitigated
With proper network segmentation and NTLM restrictions, impact is limited to hash exposure without successful relay attacks.
🎯 Exploit Status
Exploitation requires user to scan malicious file; proof-of-concept details available in public references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024.12 or later
Vendor Advisory: https://help.emsisoft.com/en/support/solutions/articles/
Restart Required: Yes
Instructions:
1. Open Emsisoft Anti-Malware 2. Click 'Update' 3. Install available updates 4. Restart computer if prompted
🔧 Temporary Workarounds
Disable automatic scanning of A2S files
windowsConfigure Emsisoft to exclude A2S files from automatic scanning
Block outbound SMB connections
allPrevent Net-NTLMv2 hash relay by blocking outbound SMB (TCP 445) from workstations
🧯 If You Can't Patch
- Disable NTLM authentication where possible and use Kerberos instead
- Implement SMB signing to prevent relay attacks
- Educate users not to scan files from untrusted sources
🔍 How to Verify
Check if Vulnerable:
Check Emsisoft version in Settings > About; if version is below 2024.12, system is vulnerable.Check Version:
Not applicable - check via GUI in Emsisoft interfaceVerify Fix Applied:
Confirm version is 2024.12 or higher in Settings > About after update.📡 Detection & Monitoring
Log Indicators:
- Unusual A2S file scan events in Emsisoft logs
- Failed authentication attempts using Net-NTLMv2 hashes
Network Indicators:
- Unexpected SMB connections to external IPs from workstations
- NTLM authentication attempts to unusual destinations
SIEM Query:
source="emsisoft.log" AND "A2S" AND "scan" | stats count by src_ip