CVE-2025-0798

HighPublic PoCRCE

Published: 29 January 2025

Published

29 January 2025

Modified

09 October 2025

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0144 80.9th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0798 is a high-severity Command Injection (CWE-77) vulnerability in Escanav Escan Anti-Virus. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 19.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Unix Shell (T1059.004) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents OS command injection by requiring validation of inputs to the Quarantine Handler during rtscanner file processing.

SI-2 Flaw Remediation good match

preventrecover

Mandates identification, reporting, and correction of the command injection flaw in eScan Antivirus 7.0.32, including patches or workarounds.

AC-6 Least Privilege partial match

prevent

Reduces impact of successful command injection by enforcing least privilege on the vulnerable Quarantine Handler process.

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

T1202 Indirect Command Execution Stealth

Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.

attack.mitre.org →

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

Why these techniques?

OS command injection in Linux antivirus service rtscanner enables Unix Shell command execution (T1059.004), indirect command execution (T1202 as cited in advisory), and exploitation of remote service for RCE (T1210).

NVD Description

A vulnerability was found in MicroWorld eScan Antivirus 7.0.32 on Linux. It has been rated as critical. This issue affects some unknown processing of the file rtscanner of the component Quarantine Handler. The manipulation leads to os command injection. The…

attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Deeper analysisAI

CVE-2025-0798 is a critical OS command injection vulnerability (CWE-77, CWE-78) in MicroWorld eScan Antivirus version 7.0.32 on Linux systems. The flaw resides in the Quarantine Handler component, specifically during processing of the rtscanner file, where improper handling allows malicious input to execute arbitrary operating system commands. Rated at CVSS 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), it was published on January 29, 2025.

Remote attackers can exploit this vulnerability without privileges or user interaction, though it requires high attack complexity and is considered difficult to execute. Successful exploitation enables full system compromise, granting high-impact confidentiality, integrity, and availability violations through injected OS commands.

Advisories from VulDB and a public GitHub disclosure detail the issue, including a proof-of-concept exploit in escan_rtscanner_rce.md, but the vendor was contacted early and provided no response or patch. Security practitioners should monitor for updates, restrict access to the affected component, and consider alternative antivirus solutions until mitigation is available.

The exploit has been publicly disclosed and may be used, though its high complexity limits widespread adoption. No real-world exploitation in the wild is reported.

Details

CWE(s): CWE-77 CWE-78

Affected Products

escanav

escan anti-virus

7.0.32

CVEs Like This One

CVE-2025-1366Same product: Escanav Escan Anti-Virus

CVE-2024-13188Same product: Escanav Escan Anti-Virus

CVE-2025-9579Shared CWE-77, CWE-78

CVE-2025-9244Shared CWE-77, CWE-78

CVE-2026-26068Shared CWE-77, CWE-78

CVE-2025-11665Shared CWE-77, CWE-78

CVE-2025-50989Shared CWE-77, CWE-78

CVE-2026-4558Shared CWE-77, CWE-78

CVE-2025-10328Shared CWE-77, CWE-78

CVE-2025-8828Shared CWE-77, CWE-78

References

https://github.com/dmknght/FIS_RnD/blob/main/escan_rtscanner_rce.md
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.293921
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.293921
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.484718
Third Party Advisory, VDB Entry · cna@vuldb.com