CVE-2025-69875
Published: 03 February 2026
Summary
CVE-2025-69875 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Quickheal Total Security. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-6 enforces least privilege, directly mitigating improper privilege management that allows low-privileged users to restore files to protected system directories.
AC-3 enforces approved authorizations for access to system resources, addressing improper permission handling in the quarantine restore function.
SI-10 validates information inputs such as restore paths, countering insufficient validation that enables placement of files in high-privilege locations.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local path validation bypass in quarantine restore directly enables arbitrary file placement into protected directories, facilitating privilege escalation from low-privileged accounts.
NVD Description
A vulnerability exists in Quick Heal Total Security 23.0.0 in the quarantine management component where insufficient validation of restore paths and improper permission handling allow a low-privileged local user to restore quarantined files into protected system directories. This behavior can…
more
be abused by a local attacker to place files in high-privilege locations, potentially leading to privilege escalation.
Deeper analysisAI
CVE-2025-69875 is a vulnerability in Quick Heal Total Security version 23.0.0, specifically within the quarantine management component. It stems from insufficient validation of restore paths combined with improper permission handling, enabling a low-privileged local user to restore quarantined files directly into protected system directories. This flaw, associated with CWEs-269 (Improper Privilege Management), CWE-281 (Improper Preservation of Permissions), and CWE-552 (Files or Directories Accessible to External Parties), carries a CVSS v3.1 base score of 7.8 (High), reflecting local attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, and high impacts on confidentiality, integrity, and availability.
The vulnerability can be exploited by a low-privileged local attacker who gains access to the system. By abusing the quarantine restore functionality, the attacker can place arbitrary files into high-privilege system locations that would otherwise be restricted, potentially achieving privilege escalation to higher levels such as administrator or SYSTEM. No user interaction is needed beyond local access, making it straightforward for compromised standard user accounts to elevate privileges and further compromise the host.
References include a GitHub repository at https://github.com/mertdas/QuickHealTotalSecurityPOC, which provides a proof-of-concept for the issue, and a product security update page from Samsung Semiconductor at https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-59439/. No specific patch or mitigation details are detailed in the provided information.
Details
- CWE(s)