CVE-2025-64984
📋 TL;DR
This vulnerability allows reflected cross-site scripting (XSS) attacks in Kaspersky security products for Linux and Mac. Attackers can use phishing techniques to inject malicious scripts that execute in victims' browsers. Affected users include those running Kaspersky Endpoint Security for Linux, Kaspersky Industrial CyberSecurity for Linux Nodes, or Kaspersky Endpoint Security for Mac with outdated anti-virus databases.
💻 Affected Systems
- Kaspersky Endpoint Security for Linux
- Kaspersky Industrial CyberSecurity for Linux Nodes
- Kaspersky Endpoint Security for Mac
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attacker steals session cookies, authentication tokens, or credentials, leading to account compromise and potential lateral movement within the network.
Likely Case
Attacker steals browser session data or redirects users to malicious sites through phishing links.
If Mitigated
Limited impact with proper web security controls like Content Security Policy and input validation.
🎯 Exploit Status
Exploitation requires user interaction (clicking malicious link) but uses standard XSS techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update anti-virus databases to version dated 18.11.2025 or later
Vendor Advisory: https://support.kaspersky.com/vulnerability/list-of-advisories/12430#181125
Restart Required: No
Instructions:
1. Open Kaspersky management console. 2. Check current anti-virus database version. 3. Update databases to 18.11.2025 or newer. 4. Verify update completed successfully.
🔧 Temporary Workarounds
Disable web interface
linuxTemporarily disable the vulnerable web interface components if not required.
Consult Kaspersky documentation for your specific product to disable web management interface
Implement WAF rules
allDeploy web application firewall rules to block XSS payloads.
🧯 If You Can't Patch
- Implement strict Content Security Policy headers
- Educate users about phishing risks and suspicious links
🔍 How to Verify
Check if Vulnerable:
Check anti-virus database version in Kaspersky interface - if date is before 18.11.2025, system is vulnerable.Check Version:
On Linux: sudo kesl-control --get-stat | grep 'Anti-virus databases'Verify Fix Applied:
Confirm anti-virus database version shows 18.11.2025 or later date.📡 Detection & Monitoring
Log Indicators:
- Unusual web requests with script tags or JavaScript payloads
- Multiple failed XSS attempts in web logs
Network Indicators:
- HTTP requests containing suspicious script parameters
- Traffic to known phishing domains
SIEM Query:
web.url CONTAINS "<script>" OR web.url CONTAINS "javascript:" AND device.vendor="Kaspersky"