Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71326

CVE-2025-71326: AVAST Antivirus Privilege Escalation Flaw

CVE-2025-71326 is a privilege escalation vulnerability in AVAST Antivirus 25.11 affecting the SecureLine service. Local attackers can exploit unquoted service paths to gain SYSTEM privileges. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2025-71326 Overview

CVE-2025-71326 is a local privilege escalation vulnerability in AVAST Antivirus 25.11. The flaw resides in the SecureLine service, which registers a Windows service binary path that is not properly enclosed in quotation marks. A local non-privileged user can place a malicious executable along the unquoted path, and Windows will execute that binary with SYSTEM privileges when the service starts. The weakness is classified as CWE-428: Unquoted Search Path or Element.

Critical Impact

A local authenticated attacker can escalate from a standard user account to NT AUTHORITY\SYSTEM, gaining full control of the affected Windows host.

Affected Products

  • AVAST Antivirus 25.11 (Windows)
  • AVAST SecureLine VPN service component bundled with AVAST Antivirus
  • Windows endpoints running the vulnerable SecureLine service

Discovery Timeline

  • 2026-06-19 - CVE-2025-71326 published to NVD
  • 2026-06-23 - Last updated in NVD database

Technical Details for CVE-2025-71326

Vulnerability Analysis

The vulnerability stems from how the SecureLine Windows service registers its ImagePath in the registry. When a service binary path contains spaces and is not wrapped in quotation marks, the Windows Service Control Manager (SCM) attempts to interpret each whitespace-delimited token as a candidate executable. The SCM walks the path from left to right, trying each prefix as a binary before falling back to the full path.

If a directory along the path is writable by non-privileged users, an attacker can drop a malicious executable named to match the first token. On service startup or restart, the SCM launches the attacker-controlled binary in the security context of the service account, which in this case is LocalSystem.

The flaw maps to CWE-428. Exploitation requires local access with low privileges and no user interaction. EPSS data lists a probability of 0.127% as of 2026-06-25.

Root Cause

The SecureLine service installer writes the binary path to the Windows registry without surrounding it with double quotes. Combined with a default installation directory under C:\Program Files\... that contains spaces, this produces multiple interpretation candidates that the SCM evaluates before reaching the legitimate binary.

Attack Vector

An attacker authenticated as a standard local user identifies the unquoted service path by querying the SCM with commands such as sc qc SecureLine or wmic service get name,pathname,startmode. After locating a writable parent directory, the attacker plants a payload named to match an earlier path token. When the service restarts — either through a reboot, an administrator action, or a recoverable service crash — Windows launches the planted binary with SYSTEM privileges. No exploit is reported in the wild, and the issue is not listed on the CISA Known Exploited Vulnerabilities catalog.

For additional technical context, see the VulnCheck advisory on the AVAST unquoted service path and the Exploit-DB entry #52510.

Detection Methods for CVE-2025-71326

Indicators of Compromise

  • Unexpected executables in directories along the SecureLine service path, particularly under C:\Program Files\ or C:\Program Files (x86)\ parent directories with names matching truncated path tokens.
  • New child processes spawned by services.exe whose parent path does not match the legitimate AVAST SecureLine binary.
  • Service configuration changes for SecureLine showing an unquoted BinaryPathName containing spaces.

Detection Strategies

  • Enumerate all Windows services and flag entries where ImagePath contains spaces and is not wrapped in quotation marks. PowerShell with Get-WmiObject Win32_Service returns the raw PathName value for inspection.
  • Alert on file write events to protected Program Files subdirectories originating from non-administrative user contexts.
  • Correlate service start events (Event ID 7036) with process creation events (Event ID 4688) to identify mismatches between expected and actual service binaries.

Monitoring Recommendations

  • Audit Windows registry writes to HKLM\SYSTEM\CurrentControlSet\Services\SecureLine\ImagePath and adjacent service keys.
  • Monitor process creation events where the parent is services.exe and the child image path differs from vendor-signed AVAST binaries.
  • Track integrity-level transitions from Medium to System originating from binaries in user-writable locations.

How to Mitigate CVE-2025-71326

Immediate Actions Required

  • Update AVAST Antivirus to the latest vendor-supplied build that quotes the SecureLine service ImagePath. Refer to the Avast security page for the current release.
  • Inventory Windows endpoints running AVAST Antivirus 25.11 and prioritize remediation on multi-user workstations and shared systems.
  • Revoke write permissions for non-administrative users on every directory traversed by the unquoted service path.

Patch Information

Apply the vendor update from AVAST that corrects the SecureLine service registration. The fix wraps the service BinaryPathName in quotation marks, eliminating the ambiguous path resolution performed by the SCM. Until the patch is deployed, treat affected hosts as exposed to local privilege escalation.

Workarounds

  • Manually quote the service path using sc config SecureLine binPath= "\"C:\Program Files\...\SecureLine.exe\"" from an elevated prompt, preserving any required arguments.
  • Apply NTFS access control lists that deny write and create-file permissions to non-administrative users on C:\Program Files\ and its subdirectories.
  • Disable the SecureLine service if the VPN functionality is not required, using sc config SecureLine start= disabled.
bash
# Configuration example - audit and remediate unquoted service paths
wmic service get name,pathname,startmode | findstr /i /v "\"" | findstr /i /v "C:\Windows"
sc qc SecureLine
sc config SecureLine binPath= "\"C:\Program Files\Common Files\AVAST Software\SecureLine\SecureLine.exe\""

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.