CVE-2025-5317
📋 TL;DR
This vulnerability allows local users with administrative privileges on macOS systems to bypass Bitdefender's uninstall password protection. Attackers with sudo access can manually delete the application and related directories without authentication. This affects Bitdefender Endpoint Security Tools for Mac installations before version 7.20.52.200087.
💻 Affected Systems
- Bitdefender Endpoint Security Tools for Mac (BEST)
📦 What is this software?
Endpoint Security by Bitdefender
⚠️ Risk & Real-World Impact
Worst Case
Malicious administrator or compromised admin account could remove endpoint security software, leaving the system unprotected and enabling further attacks without detection.
Likely Case
Disgruntled employee with admin privileges could intentionally remove security controls to facilitate data exfiltration or install malware.
If Mitigated
With proper privilege separation and monitoring, impact is limited to authorized administrators performing legitimate uninstallations.
🎯 Exploit Status
Exploitation requires administrative privileges and involves simple file deletion commands. No special tools or techniques needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.20.52.200087 and later
Vendor Advisory: https://www.bitdefender.com/support/security-advisories/improper-access-restriction-to-critical-folder-in-bitdefender-endpoint-security-tools-for-mac/
Restart Required: Yes
Instructions:
1. Open Bitdefender Endpoint Security for Mac. 2. Check for updates in the application. 3. Install update to version 7.20.52.200087 or later. 4. Restart the system to complete installation.
🔧 Temporary Workarounds
Restrict sudo privileges
allLimit administrative access to only trusted users who require it for their job functions.
sudo visudo
# Edit sudoers file to restrict access
Monitor file deletions
linuxSet up file integrity monitoring on critical Bitdefender directories.
sudo fswatch /Applications/Endpoint\ Security\ for\ Mac.app/
sudo fswatch /Library/Bitdefender/AVP/
🧯 If You Can't Patch
- Implement strict access controls to limit who has administrative privileges on macOS systems
- Monitor for unauthorized removal of security software using endpoint detection tools
🔍 How to Verify
Check if Vulnerable:
Check Bitdefender version: Open Terminal and run 'defaults read /Applications/Endpoint\ Security\ for\ Mac.app/Contents/Info.plist CFBundleShortVersionString'. If version is below 7.20.52.200087, system is vulnerable.Check Version:
defaults read /Applications/Endpoint\ Security\ for\ Mac.app/Contents/Info.plist CFBundleShortVersionStringVerify Fix Applied:
After update, verify version is 7.20.52.200087 or higher using the same command. Attempt to delete protected directories should now require uninstall password.📡 Detection & Monitoring
Log Indicators:
- Unauthorized deletion of /Applications/Endpoint Security for Mac.app/
- Unauthorized deletion of files in /Library/Bitdefender/AVP/
- Failed uninstall attempts without password
Network Indicators:
- Sudden absence of Bitdefender endpoint reporting to management console
SIEM Query:
source="macos" AND (event="file_delete" AND path="/Applications/Endpoint Security for Mac.app/*" OR path="/Library/Bitdefender/AVP/*")