CVE-2025-45095
📋 TL;DR
Lavasoft Web Companion (Ad-Aware WebCompanion) versions 8.9.0.1091 through 12.1.3.1037 have an unquoted service path vulnerability in DCIService.exe. Attackers with write access to the file system can place malicious executables in the unquoted path to execute arbitrary code with SYSTEM privileges. This affects all users running vulnerable versions of the software.
💻 Affected Systems
- Lavasoft Web Companion
- Ad-Aware WebCompanion
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with SYSTEM privileges leading to complete control over the affected machine, data theft, ransomware deployment, or persistent backdoor installation.
Likely Case
Local privilege escalation where an attacker with initial access gains SYSTEM privileges to install malware, steal credentials, or move laterally within the network.
If Mitigated
Limited impact if proper file system permissions prevent unauthorized writes to affected directories and endpoint protection blocks malicious executables.
🎯 Exploit Status
Exploitation requires write access to the file system. The vulnerability is well-documented with proof-of-concept available in the reference link.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: Not available
Restart Required: No
Instructions:
1. Check current version using 'sc qc DCIService' command
2. If version is between 8.9.0.1091 and 12.1.3.1037, uninstall Lavasoft Web Companion
3. Consider alternative web protection software
🔧 Temporary Workarounds
Add quotes to service path
windowsManually add quotes around the service path in Windows Registry to prevent exploitation
sc config DCIService binPath= "\"C:\Program Files\Lavasoft\Web Companion\Application\DCIService.exe\""
Restrict file system permissions
windowsSet strict ACLs on directories in the unquoted path to prevent unauthorized writes
icacls "C:\Program Files\Lavasoft" /deny Everyone:(OI)(CI)(W)
🧯 If You Can't Patch
- Uninstall Lavasoft Web Companion completely
- Implement strict file system permissions and monitor for unauthorized file creation in affected directories
🔍 How to Verify
Check if Vulnerable:
Run 'sc qc DCIService' and check if the BinaryPathName value is unquoted and contains spaces. Also check version using 'wmic product where name="Lavasoft Web Companion" get version'Check Version:
wmic product where name="Lavasoft Web Companion" get versionVerify Fix Applied:
Verify service path is quoted by running 'sc qc DCIService' and checking BinaryPathName starts and ends with quotes📡 Detection & Monitoring
Log Indicators:
- Windows Event ID 4688 showing DCIService.exe execution from unexpected locations
- File creation events in Lavasoft installation directories
- Process creation from suspicious paths
Network Indicators:
- Unusual outbound connections from DCIService.exe
- Beaconing behavior from the service
SIEM Query:
source="windows" event_id=4688 AND (process_name="DCIService.exe" AND NOT (process_path="C:\\Program Files\\Lavasoft\\Web Companion\\Application\\DCIService.exe"))