This common Windows flaw occurs when a service's executable path, containing spaces, lacks quotation marks. For instance, if the service path was `C:\Program Files\AVAST Software\Avast\AvastSvc.exe` without quotes.
An attacker could place a malicious executable named `Program.exe` in `C:\`. When the Avast service started, Windows would incorrectly attempt to execute `C:\Program.exe` instead of the legitimate Avast service.
This allowed the attacker's code to run with the elevated privileges of the Avast service (often SYSTEM), leading to potential full system compromise. Users should ensure their Avast software is updated to patched versions.
# Exploit Title: AVAST Antivirus 25.11 - Unquoted Service Path
# Exploit Author: Milad Karimi (Ex3ptionaL)
# Contact:
# Date: 2025-12-17
# Vendor Homepage:https://www.avast.com/
# Software Link :
https://www.avast.com/es-mx/download-thank-you.php?product=SLN&locale=es-mx
# Tested Version: 25.11
# Tested on OS: Windows 11
Description
AVAST Antivirus 25.11 an unquoted service path vulnerability that allows
local non-privileged users to potentially execute code with elevated SYSTEM
privileges. Attackers can exploit the unquoted service path configuration
to inject malicious executables that will be run with high-level system
permissions.
PoC
C:\>sc qc SecureLine
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: SecureLine
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files\AVAST
Software\SecureLine\VpnSvc.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : Avast SecureLine
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem