Comodo Internet Security 2025 Flaws Allow Remote Code Execution With SYSTEM Privileges
Security researchers have uncovered a series of critical vulnerabilities in Comodo Internet Security 2025, exposing users to remote code execution (RCE) attacks that could grant threat actors SYSTEM-level privileges.
These flaws affect Comodo Internet Security Premium version 12.3.4.8162 and potentially other recent releases, putting both individual and enterprise users at risk.
| CVE ID | Vulnerability Type | CVSS Score | Attack Vector | Impact |
| CVE-2025-7095 | Improper Certificate Validation | 3.7 | Network | RCE, MITM |
| CVE-2025-7098 | Path Traversal in File Handler | 5.6 | Network | Arbitrary Write |
| CVE-2024-7251 | Local Privilege Escalation | 7.8 | Local | SYSTEM Exec |
Technical Overview
1. Improper Certificate Validation (CWE-295)
Comodo’s update mechanism relies on HTTPS to fetch updates from official servers. However, it fails to validate SSL certificates properly, allowing attackers to perform DNS spoofing or man-in-the-middle (MITM) attacks.
By redirecting update traffic to a malicious server, adversaries can deliver tampered update manifests and binaries without detection.
Example Attack Flow:
- Attacker sets up a rogue HTTPS server with a self-signed certificate.
- Through ARP/DNS spoofing, the victim’s update requests are redirected to the attacker.
- Comodo Internet Security accepts the connection and downloads update files from the untrusted source.
2. Path Traversal Vulnerability (CWE-22)
A critical flaw in the File Name Handler component allows path traversal via manipulated file and folder arguments.
Malicious update manifests can specify file paths outside the intended directory, enabling arbitrary file writes anywhere on the system—including the Windows Startup folder.
Proof-of-Concept Manifest Snippet:
This code writes a batch file into the Startup folder, ensuring execution on next reboot with SYSTEM privileges.
3. Insufficient Verification of Data Authenticity (CWE-345)
Comodo does not enforce integrity or authenticity checks on update manifest files.
Attackers can craft malicious manifests that execute arbitrary code, such as launching a PowerShell payload via the update process.
These payloads run under SYSTEM, bypassing user account controls and leveraging Comodo’s own trusted processes.
- Remote Code Execution: Attackers can deliver and execute arbitrary code as SYSTEM.
- Persistence: Malicious files placed in Startup guarantee persistence across reboots.
- Privilege Escalation: Attackers gain full control, able to run post-exploitation tools like Mimikatz and hashdump.
- Update Immediately: Users should apply any patches released by Comodo.
- Network Protections: Enable anti-ARP spoofing and monitor for suspicious update traffic.
- Restrict Update Sources: Configure firewalls to only allow connections to official Comodo servers.
These vulnerabilities highlight the critical importance of robust certificate validation, strict path sanitization, and manifest integrity checks in security software.
Until patches are confirmed, users should take immediate steps to mitigate exposure.
Exclusive Webinar Alert: Harnessing Intel® Processor Innovations for Advanced API Security – Register for Free
Source link
