CVE-2026-12214

Vulnerability

A security feature bypass vulnerability exists in Qihoo 360 Total Security 6.0, specifically in the Nucleus Engine monitoring logic. The function RpcStringBindingComposeW does not properly validate the NetworkAddr argument. When the argument is set to NULL or "0", the Nucleus Engine fails to intercept the RPC call, unlike when "localhost" is used. This affects all versions of 360 Total Security with Nucleus Engine prior to the disclosure of this bypass technique (June 2026) [1].

Exploitation

An attacker with local access to the system can exploit this by crafting an RPC call to the Windows Task Scheduler RPC interface (UUID: 0A74EF1C-41A4-4E06-83AE-DC74FB1CDD53) using RpcStringBindingComposeW with NetworkAddr set to NULL or "0". This bypasses the Nucleus Engine's monitoring that typically blocks "localhost" bindings, allowing the attacker to register a malicious scheduled task via the SchRpcRegisterTask RPC call without detection [1].

Impact

Successful exploitation enables the attacker to create arbitrary scheduled tasks on the system. This can lead to persistence (e.g., executing malware at system startup), privilege escalation, or other malicious activities, as the bypass circumvents 360 Total Security's protective monitoring. The attack does not require authentication beyond local access, and public exploit code is available [1].

Mitigation

Qihoo 360 did not respond to the disclosure, and no official patch or fixed version has been released as of the publication date (June 15, 2026). Users are advised to consider alternative security solutions or manually restrict RPC access to the Task Scheduler interface if possible. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog [1].