Malwarebytes Anti-Malware Local Privilege Escalation Vulnerability Disclosed (ZDI-26-267)

The Zero Day Initiative (ZDI) has disclosed a local privilege escalation vulnerability in Malwarebytes Anti-Malware, tracked as ZDI-26-267. The flaw, an uncontrolled search path element, allows an attacker who already has low-privileged code execution on aexecution on a target system to load a malicious file from an unsecured location. Successful exploitation grants SYSTEM-level privileges, enabling full control over the affected machine.

The vulnerability resides within the Malwarebytes service, which loads a file from an unsecured path. By placing a specially crafted file in that location, a low-privileged attacker can trick the service into executing arbitrary code in the context of SYSTEM. The issue was reported to Malwarebytes on February 29, 2024, by researcher Malcolm Stagg of SODIUM-24, LLC, and was fixed in version 1.0.6.31 of the product.

Malwarebytes Anti-Malware is widely used by consumers and enterprises for endpoint protection. While the vulnerability requires local access, it poses a significant risk in multi-user environments or when combined with other attack vectors that achieve initial code execution. The CVSS score of 7.8 reflects the high impact on confidentiality, integrity, and availability.

Malwarebytes has released version 1.0.6.31 to address the issue. Users are strongly advised to update their installations immediately. No in-the-wild exploitation has been reported at the time of disclosure, but the advisory provides sufficient detail for attackers to develop exploits.

This disclosure highlights the ongoing challenge of privilege escalation vulnerabilities in security software, which can undermine the very protections they are meant to provide. The coordinated disclosure process, spanning over two years from report to public release, underscores the complexity of responsibly addressing such flaws.