Security Intelligence
Loading table of contents...
Cisco has released an update to address a denial-of-service (DoS) vulnerability in its ClamAV anti-virus solution.
The vulnerability, designated CVE-2025-20128, is due to a heap-based buffer overflow issue in ClamAV’s Object Linking and Embedding 2 (OLE2) decryption process. The vulnerability could allow remote, unauthenticated threat actors to crash ClamAV, simply by submitting a file containing OLE2 content for scanning by the vulnerable program.
Stay on top of emerging threats.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
CVE-2025-20128 affects Cisco’s Secure Endpoint Connector for Linux, Mac, Windows, and Private Cloud. Cisco has stated that it isn’t aware of any active exploitation of the bug, but it has observed the availability of proof-of-concept (PoC) exploit code.
Regardless, Cisco is urging affected users to install the patch as soon as possible.
Source: Bleeping Computer
Analysis
CVE-2025-20128 could pose a significant threat to affected users should threat actors follow its exploitation with a further attack. For example, if a threat actor used CVE-2025-20128 to successfully crash ClamAV on a target’s host, they would then be free to deploy other tools, such as malware and ransomware, that wouldn’t be detected since the anti-virus solution is no longer running. Given that PoC exploit code already exists, it’s likely only a matter of time before threat actors begin targeting vulnerable hosts in this manner.
Cisco software and devices are widely used throughout the world and thus popular targets for nation-state and criminal hackers alike. In December 2024, Cisco warned its customers that threat actors were actively exploiting a vulnerability in its Adaptive Security Appliance (ASA) that the company had patched way back in 2014.
Because of this exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2014-2120 to its Known Exploited Vulnerabilities (KEV) catalog and ordered federal agencies to secure affected devices. The exploitation of CVE-2014-2120, a flaw patched 10 years ago, demonstrates how threat actors will leverage any advantage they can find to facilitate their malicious activities.
Mitigation
Field Effect’s Security Intelligence team constantly monitors the threat landscape for vulnerabilities discovered in software, appliances, and operating systems.
This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate the exploitation of these vulnerabilities. Field Effect MDR users are automatically notified when vulnerable software is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect portal.
Field Effect strongly encourages users of vulnerable Cisco Secure Endpoint Connectors to install the latest security patch as soon as possible in accordance with Cisco’s advisory.
