Medium severityNVD Advisory· Published Jul 11, 2025· Updated Apr 15, 2026

CVE-2025-5028

Description

Installation file of ESET security products on Windows

allow an attacker to misuse to delete an arbitrary file without having the permissions to do so.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A low-privileged attacker can abuse ESET security product installers on Windows to delete arbitrary files, potentially leading to local privilege escalation.

Vulnerability

Overview

The arbitrary file deletion vulnerability, identified as CVE-2025-5028 and reported by Sheikh Rishad, exists in the installation files of ESET security products on Windows. The root cause lies in the installer's failure to properly validate or restrict file operations after an attacker crafts the target installation directory with specific redirects. This allows a malicious actor to misuse the legitimate installer process to delete files outside the intended scope [1].

Exploitation

Prerequisites and Attack Surface

Exploitation requires the attacker to already have the ability to execute low-privileged code on the target system. The attack vector is local (AV:L), with low attack complexity and no advanced privileges needed beyond the initial low-privileged access. User interaction (UI:A) is required because the victim must run the installer under their account, but the attacker can pre-stage the directory to trigger the deletion. The vulnerability is in the installer file itself, not the installed ESET product; once the product is installed and running, no further risk from this CVE applies [1].

Impact

A successful exploit enables the attacker to delete an arbitrary file on the system, including protected system files. While the direct outcome is unauthorized file deletion, the ESET advisory notes this can be extended into a local privilege escalation (LPE) vector, for example by deleting a security-critical file that forces a fallback to a less-secure state. The CVSS v4.0 score is 6.8 (Medium), with high impacts to both confidentiality and integrity, but no impact to availability [1].

Mitigation and

Resolution

ESET has released fixed installer versions for all affected product lines (see below). Affected users must download and use the updated installation files from the official ESET website or ESET Repository. Products already installed are not vulnerable from this attack vector. To the best of ESET's knowledge, no public exploits exist in the wild at the time of the advisory [1].

Fixed versions: - ESET NOD32 Antivirus, ESET Internet Security, ESET Smart Security Premium, ESET Security Ultimate 18.2.14.0 and later - ESET Endpoint Antivirus for Windows and ESET Endpoint Security for Windows 12.0.2058.0, 11.0.2062.0 and later from the respective version family - ESET Small Business Security and ESET Safe Server 18.2.14.0 and later

References

[CA8838] ESET Customer Advisory: Arbitrary file deletion vulnerability in ESET product installers on Windows fixed

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Eset/ESET Security Products for Windowsllm-fuzzy

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

support.eset.com/en/ca8838-arbitrary-file-deletion-vulnerability-in-eset-product-installers-on-windows-fixednvd

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000