Cyber Resilience

CVE-2024-11128

HighLPE

Published: 13 January 2025

Published
13 January 2025
Modified
11 February 2025
KEV Added
Patch
CVSS Score v4 8.4 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0008 23.8th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-11128 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Bitdefender Virus Scanner. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Dylib Hijacking (T1574.004); ranked at the 23.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-11128 is a vulnerability in the BitdefenderVirusScanner binary as used in Bitdefender Virus Scanner for macOS. The issue arises from the absence of Hardened Runtime or Library Validation signing, which allows dynamic library (DYLD) injection without being blocked by Apple Mobile File Integrity (AMFI). This affects Bitdefender Virus Scanner versions prior to 3.18 and has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), mapped to CWE-269.

A local attacker with low privileges can exploit this vulnerability with low attack complexity and no user interaction. Exploitation enables injection of arbitrary dynamic libraries into the Virus Scanner process, potentially resulting in high confidentiality, integrity, and availability impacts on the affected system.

The Bitdefender security advisory at https://www.bitdefender.com/support/security-advisories/insufficient-hardened-runtime-or-library-validation-signing-in-bitdefender-virus-scanner-for-macos/ addresses this issue, with mitigation achieved by updating to version 3.18 or later, which resolves the lack of required signing protections.

EU & UK References

Vulnerability details

A vulnerability in the BitdefenderVirusScanner binary as used in Bitdefender Virus Scanner for MacOS may allow .dynamic library injection (DYLD injection) without being blocked by AppleMobileFileIntegrity (AMFI). This issue is caused by the absence of Hardened Runtime or Library Validation…

more

signing. This issue affects Bitdefender Virus Scanner versions before 3.18.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1574.004 Dylib Hijacking Stealth
Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime.
Why these techniques?

Missing Hardened Runtime/Library Validation directly enables arbitrary dylib injection (DYLD hijacking) into the target process.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-13872Same vendor: Bitdefender
CVE-2024-13871Same vendor: Bitdefender
CVE-2026-4880Shared CWE-269
CVE-2024-44250Shared CWE-269
CVE-2024-53706Shared CWE-269
CVE-2024-53350Shared CWE-269
CVE-2026-2931Shared CWE-269
CVE-2025-66374Shared CWE-269
CVE-2026-26725Shared CWE-269
CVE-2025-37123Shared CWE-269

Affected Assets

bitdefender
virus scanner
≤ 3.18

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires digital signing of software components, directly addressing the absence of Hardened Runtime or Library Validation signing that enables DYLD injection.

prevent

Mandates timely flaw remediation through patching, which resolves the vulnerability by updating to version 3.18 with proper signing protections.

preventdetect

Enforces software integrity verification including signature checks, mitigating unauthorized library injection by detecting changes to the VirusScanner binary.

References