CVE-2025-20128
Published: 22 January 2025
Summary
CVE-2025-20128 is a medium-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Cisco Secure Endpoint. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Disable or Modify Tools (T1685); ranked in the top 28.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
A vulnerability in the Object Linking and Embedding 2 (OLE2) decryption routine of ClamAV stems from an integer underflow during a bounds check, which produces a heap buffer over-read. The flaw is tracked as CVE-2025-20128 and carries a CVSS 3.1 score of 5.3; it affects the open-source ClamAV antivirus engine used for file scanning.
An unauthenticated remote attacker can trigger the issue by submitting a specially crafted file containing malicious OLE2 content for scanning. Successful exploitation terminates the ClamAV scanning process, resulting in a denial-of-service condition on the affected software. No authentication or user interaction is required.
Cisco has published software updates that remediate the vulnerability in ClamAV 1.4.2 and 1.0.8; the corresponding security advisory states that no workarounds exist. Downstream distributions such as Debian have also issued patched packages.
EPSS for the CVE rose from a low baseline after disclosure to a peak of 0.0592 on 2025-12-11 before receding to its current value of 0.0199, indicating that exploitation interest increased several months after the initial announcement.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-2155
Vulnerability details
A vulnerability in the Object Linking and Embedding 2 (OLE2) decryption routine of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to an integer underflow…
more
in a bounds check that allows for a heap buffer overflow read. An attacker could exploit this vulnerability by submitting a crafted file containing OLE2 content to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to terminate the ClamAV scanning process, resulting in a DoS condition on the affected software. For a description of this vulnerability, see the . Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Integer underflow in ClamAV OLE2 parser enables remote DoS crash of the antivirus scanner process via crafted file, directly mapping to impairing security tools.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely flaw remediation by applying available ClamAV patches that fix the integer underflow leading to heap buffer overflow in the OLE2 decryption routine.
Enables detection of vulnerable ClamAV versions through regular vulnerability scanning, facilitating prompt patching to prevent exploitation.
Provides denial-of-service protections that limit the impact of crafted OLE2 files terminating the ClamAV scanning process.