Cyber Resilience

CVE-2025-0798

CriticalPublic PoCRCE

Published: 29 January 2025

Published
29 January 2025
Modified
09 October 2025
KEV Added
Patch
CVSS Score v4 9.2 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0144 81.1th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0798 is a critical-severity Command Injection (CWE-77) vulnerability in Escanav Escan Anti-Virus. Its CVSS base score is 9.2 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 18.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A vulnerability rated critical has been identified in MicroWorld eScan Antivirus version 7.0.32 on Linux, specifically within the Quarantine Handler component's rtscanner file. The flaw stems from improper handling that permits OS command injection, corresponding to CWE-77 and CWE-78, and carries a CVSS 4.0 score of 9.2 reflecting high impact on confidentiality, integrity, and availability despite high attack complexity.

Remote attackers without authentication can exploit the issue to execute arbitrary operating system commands, though successful exploitation requires significant effort and the attack vector is considered difficult. Public disclosure of an exploit has occurred, enabling potential reuse by threat actors.

No vendor patch or official advisory has been issued, as MicroWorld did not respond to early disclosure notifications; the provided references consist of a detailed technical write-up and exploit documentation hosted on GitHub along with Vuldb entries.

The associated EPSS score has risen from a low baseline to a peak of 0.0313, indicating emerging exploitation interest after public release and suggesting the CVE merits renewed monitoring.

EU & UK References

Vulnerability details

A vulnerability was found in MicroWorld eScan Antivirus 7.0.32 on Linux. It has been rated as critical. This issue affects some unknown processing of the file rtscanner of the component Quarantine Handler. The manipulation leads to os command injection. The…

more

attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1202 Indirect Command Execution Stealth
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

OS command injection in Linux antivirus service rtscanner enables Unix Shell command execution (T1059.004), indirect command execution (T1202 as cited in advisory), and exploitation of remote service for RCE (T1210).

CVEs Like This One

CVE-2024-13188Same product: Escanav Escan Anti-Virus
CVE-2025-1366Same product: Escanav Escan Anti-Virus
CVE-2025-9579Shared CWE-77, CWE-78
CVE-2025-9244Shared CWE-77, CWE-78
CVE-2026-4558Shared CWE-77, CWE-78
CVE-2025-50989Shared CWE-77, CWE-78
CVE-2025-11665Shared CWE-77, CWE-78
CVE-2026-26068Shared CWE-77, CWE-78
CVE-2025-7414Shared CWE-77, CWE-78
CVE-2026-3485Shared CWE-77, CWE-78

Affected Assets

escanav
escan anti-virus
7.0.32

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents OS command injection by requiring validation of inputs to the Quarantine Handler during rtscanner file processing.

preventrecover

Mandates identification, reporting, and correction of the command injection flaw in eScan Antivirus 7.0.32, including patches or workarounds.

prevent

Reduces impact of successful command injection by enforcing least privilege on the vulnerable Quarantine Handler process.

References