AVAST Antivirus 25.11 Unquoted Service Path Privilege Escalation
Description
AVAST Antivirus 25.11 contains an unquoted service path vulnerability in the SecureLine service that allows local non-privileged users to execute code with elevated SYSTEM privileges. Attackers can exploit the unquoted binary path in the service configuration to inject malicious executables that execute with high-level system permissions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
Root cause
"The service binary path for Avast SecureLine is not enclosed in quotes, allowing Windows to interpret spaces as argument separators and enabling arbitrary code execution via path injection."
Attack vector
A local non-privileged user exploits the unquoted service path `C:\Program Files\AVAST Software\SecureLine\VpnSvc.exe` [ref_id=1]. Because the path contains spaces and is not quoted, Windows will attempt to execute each space-delimited token as a possible executable. An attacker can place a malicious executable named, for example, `AVAST.exe` or `Software.exe` in a directory that Windows searches before reaching the intended binary, causing the injected executable to run with SYSTEM privileges when the service starts.
Affected code
The vulnerable service is the Avast SecureLine service (binary name `VpnSvc.exe`). The service binary path is configured as `C:\Program Files\AVAST Software\SecureLine\VpnSvc.exe` without surrounding quotes, which is the classic unquoted service path pattern.
What the fix does
The advisory does not provide a patch diff. The standard remediation for an unquoted service path vulnerability is to enclose the binary path in double quotes in the service configuration (e.g., `"C:\Program Files\AVAST Software\SecureLine\VpnSvc.exe"`). Without a published fix, users should manually apply this change or ensure that no unprivileged user can write to the directories along the unquoted path.
Preconditions
- inputThe attacker must have local access to the Windows system and the ability to write files to a directory that is searched before the intended binary (e.g., `C:\Program Files\AVAST\` or `C:\Program Files\AVAST Software\`).
- configThe SecureLine service must be configured with the unquoted binary path as shown in the PoC.
- authNo authentication beyond local user access is required; the service runs as LocalSystem.
Generated on Jun 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- www.exploit-db.com/exploits/52510mitreexploit
- www.vulncheck.com/advisories/avast-antivirus-unquoted-service-path-privilege-escalationmitrethird-party-advisory
- www.avast.commitreproduct
News mentions
0No linked articles in our index yet.