CVE-2018-6593
Description
An issue was discovered in MalwareFox AntiMalware 2.74.0.150. Improper access control in zam32.sys and zam64.sys allows a non-privileged process to register itself with the driver by connecting to the filter communication port and then using IOCTL 0x8000204C to \\.\ZemanaAntiMalware to elevate privileges.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MalwareFox AntiMalware 2.74.0.150 drivers allow any user to connect to a filter communication port, enabling privilege escalation via IOCTL 0x8000204C.
Vulnerability
The vulnerability resides in the kernel drivers zam32.sys and zam64.sys of MalwareFox AntiMalware version 2.74.0.150. The driver creates a filter communication port at \\.\ZemanaAntiMalware but fails to set a proper Discretionary Access Control List (DACL). Instead of using the default security descriptor that restricts access to SYSTEM and Administrators, the driver calls RtlSetDaclSecurityDescriptor with a NULL DACL pointer, granting all users (including unprivileged processes) the ability to connect to the port [1].
Exploitation
An attacker with local access to the system, even as a non-privileged user, can connect to the filter communication port using the FilterConnectCommunicationPort API. Once connected, the driver automatically registers the connecting process as trusted. The attacker can then send the IOCTL code 0x8000204C to the device \\.\ZemanaAntiMalware to request privilege escalation. The exploit code provided in the reference demonstrates this sequence [1].
Impact
Successful exploitation allows an attacker to elevate privileges from a non-privileged process to SYSTEM level. With elevated privileges, the attacker can disable real-time protection, write to raw disk, open full access handles to arbitrary processes, and perform other high-privilege operations, effectively compromising the entire system [1].
Mitigation
As of the publication date (February 2018), no official patch or fixed version has been disclosed by MalwareFox. Users are advised to update to a newer version if available, or consider removing the software if no update is provided. The vulnerability is listed in the Exploit Database (EDB-ID 43973) and may be targeted by malware [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=2.74.0.150
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
2- www.exploit-db.com/exploits/43973/mitreexploitx_refsource_EXPLOIT-DB
- github.com/SouhailHammou/Exploits/blob/master/CVE-2018-6593/Malwarefox_privescl_0.cmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.