Cyber Resilience

CVE-2025-20128

Medium

Published: 22 January 2025

Published
22 January 2025
Modified
03 November 2025
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS Score 0.0151 71.2th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2025-20128 is a medium-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Cisco Secure Endpoint. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Disable or Modify Tools (T1685); ranked in the top 28.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

A vulnerability in the Object Linking and Embedding 2 (OLE2) decryption routine of ClamAV stems from an integer underflow during a bounds check, which produces a heap buffer over-read. The flaw is tracked as CVE-2025-20128 and carries a CVSS 3.1 score of 5.3; it affects the open-source ClamAV antivirus engine used for file scanning.

An unauthenticated remote attacker can trigger the issue by submitting a specially crafted file containing malicious OLE2 content for scanning. Successful exploitation terminates the ClamAV scanning process, resulting in a denial-of-service condition on the affected software. No authentication or user interaction is required.

Cisco has published software updates that remediate the vulnerability in ClamAV 1.4.2 and 1.0.8; the corresponding security advisory states that no workarounds exist. Downstream distributions such as Debian have also issued patched packages.

EPSS for the CVE rose from a low baseline after disclosure to a peak of 0.0592 on 2025-12-11 before receding to its current value of 0.0199, indicating that exploitation interest increased several months after the initial announcement.

EU & UK References

Vulnerability details

A vulnerability in the Object Linking and Embedding 2 (OLE2) decryption routine of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to an integer underflow…

more

in a bounds check that allows for a heap buffer overflow read. An attacker could exploit this vulnerability by submitting a crafted file containing OLE2 content to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to terminate the ClamAV scanning process, resulting in a DoS condition on the affected software. For a description of this vulnerability, see the . Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1685 Disable or Modify Tools Defense Impairment
Adversaries may disable, degrade, or tamper with security tools or applications (e.
Why these techniques?

Integer underflow in ClamAV OLE2 parser enables remote DoS crash of the antivirus scanner process via crafted file, directly mapping to impairing security tools.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-20363Same vendor: Cisco
CVE-2025-27091Same vendor: Cisco
CVE-2025-21305Shared CWE-122
CVE-2025-49757Shared CWE-122
CVE-2025-62456Shared CWE-122
CVE-2025-21186Shared CWE-122
CVE-2026-23533Shared CWE-122
CVE-2025-26416Shared CWE-122
CVE-2025-21208Shared CWE-122
CVE-2026-20922Shared CWE-122

Affected Assets

clamav
clamav
1.0.0 — 1.0.8 · 1.1.0 — 1.4.2
cisco
secure endpoint
≤ 1.24.4 · ≤ 1.25.1 · ≤ 7.5.20
cisco
secure endpoint private cloud
≤ 4.2.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely flaw remediation by applying available ClamAV patches that fix the integer underflow leading to heap buffer overflow in the OLE2 decryption routine.

detect

Enables detection of vulnerable ClamAV versions through regular vulnerability scanning, facilitating prompt patching to prevent exploitation.

prevent

Provides denial-of-service protections that limit the impact of crafted OLE2 files terminating the ClamAV scanning process.

References