CVE-2025-43079
📋 TL;DR
CVE-2025-43079 is a path injection vulnerability in Qualys Cloud Agent's uninstall script that allows local privilege escalation. When the script runs with elevated privileges in a manipulated PATH environment, attackers can execute arbitrary commands as root. This affects Mac and Linux systems running vulnerable Qualys Cloud Agent versions.
💻 Affected Systems
- Qualys Cloud Agent
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise via root-level arbitrary command execution, enabling persistence, data theft, and lateral movement across the network.
Likely Case
Local privilege escalation allowing attackers with initial access to gain root privileges on affected systems.
If Mitigated
Limited impact if proper privilege separation and PATH controls are enforced, restricting script execution to trusted environments.
🎯 Exploit Status
Requires local access, ability to manipulate PATH environment, and execution of uninstall script with elevated privileges.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Qualys Cloud Agent release notes for fixed version
Vendor Advisory: https://www.qualys.com/security-advisories/cve-2025-43079
Restart Required: No
Instructions:
1. Update Qualys Cloud Agent to latest version. 2. Follow Qualys update procedures for your deployment method. 3. Verify the update completed successfully.
🔧 Temporary Workarounds
Restrict PATH manipulation
linuxPrevent PATH environment manipulation for privileged processes
sudo visudo
Add: Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
Remove vulnerable script
allDelete or restrict execution of the vulnerable uninstall script
sudo rm -f /path/to/qagent_uninstall.sh
sudo chmod 000 /path/to/qagent_uninstall.sh
🧯 If You Can't Patch
- Restrict sudo access to prevent unauthorized execution of the uninstall script.
- Implement strict PATH environment controls for all privileged processes.
🔍 How to Verify
Check if Vulnerable:
Check if qagent_uninstall.sh exists and examine its content for relative path usage: find / -name qagent_uninstall.sh 2>/dev/nullCheck Version:
qualys-cloud-agent --version or check agent configuration fileVerify Fix Applied:
Verify Qualys Cloud Agent version is updated to patched version and check script uses absolute paths.📡 Detection & Monitoring
Log Indicators:
- Execution of qagent_uninstall.sh with sudo/root privileges
- Unusual PATH environment variables in process execution logs
Network Indicators:
- None - local exploitation only
SIEM Query:
process.name:"qagent_uninstall.sh" AND user.name:"root" OR process.parent.name:"sudo"