What is CVE-2025-20128?

A medium severity vulnerability in Cisco ClamAV could lead to denial of service. Attackers may exploit this issue by sending crafted OLE2 files. Immediate action is required to mitigate risks.

What is the severity of CVE-2025-20128?

CVE-2025-20128 has a severity rating of MEDIUM with a CVSS base score of 5.3.

CVE-2025-20128 | Medium Vulnerability in Cisco ClamAV

A vulnerability in the Object Linking and Embedding 2 (OLE2) decryption routine of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to an integer underflow in a bounds check that allows for a heap buffer overflow read. An attacker could exploit this vulnerability by submitting a crafted file containing OLE2 content to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to terminate the ClamAV scanning process, resulting in a DoS condition on the affected software. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Organizations should prioritize patching immediately.

The CVSS score of this vulnerability varies between 5.3 and 7.5, indicating a medium to high severity level based on different metrics. The vulnerability primarily affects users of ClamAV versions prior to 1.0.8 and between 1.1.0 and 1.4.2. To fully mitigate risks, organizations need to ensure they are running an updated version.

Risk to organizations includes potential service interruptions due to the DoS condition. Immediate patching is required to prevent possible exploitation of this vulnerability.

Vulnerability Details

The vulnerability in question stems from an integer underflow in the bounds check during the decryption process of OLE2 files. This flaw allows an attacker to craft a malicious file that, when scanned, can lead to a termination of the ClamAV process.

The CVSS score assigned to this vulnerability varies; the PSIRT rating is 5.3 (medium severity), while the NVD rating is 7.5 (high severity). This inconsistency arises from differing interpretations of the impact on availability.

Technical Analysis

The root cause of this vulnerability lies in the integer underflow during the bounds check, which ultimately leads to a heap buffer overflow read. The attack vector is network-based, and the complexity is low since no authentication is required. No user interaction is needed for exploitation.

This vulnerability affects the availability of the ClamAV service, as a successful exploit results in the termination of the scanning process. There are no impacts on confidentiality or integrity, making the primary concern the potential service disruption.

Risk & Impact Analysis

Organizations utilizing ClamAV are at risk of service disruption if this vulnerability is exploited. The attack could lead to significant downtime, affecting the organization's ability to scan and secure their systems effectively. The urgency for remediation is underscored by the potential for exploitation, especially in environments where ClamAV is a critical component of network security.

Exploitation Status

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

The affected versions of ClamAV include any version prior to 1.0.8 and versions between 1.1.0 and 1.4.2. Cisco Secure Endpoint is also affected, with specific version limits noted for macOS, Linux, and Windows variants.

Mitigation & Remediation

Cisco has released software updates that address this vulnerability. Organizations should upgrade to the latest versions of ClamAV to mitigate the risk. For those unable to patch immediately, implementing network controls to restrict access to ClamAV may provide temporary protection.

For further guidance on securing your systems, organizations may consider reviewing application security assessments to identify potential vulnerabilities.

Detection Guidance

To detect potential exploitation attempts, organizations should monitor logs for unusual scanning behavior or errors related to the ClamAV process. Behavioral anomalies, such as unexpected service restarts, could indicate an ongoing attack.

AppSecure Threat Intelligence Insight

This vulnerability highlights the importance of timely patching and monitoring for anomalies in security processes. Security teams should ensure they are aware of the latest vulnerabilities impacting their systems and the potential for service disruptions.

For further insights on vulnerability management, organizations may find value in exploring vulnerability management programs and their role in strengthening security postures.

Organizations should also focus on best practices for penetration testing to assess their defenses against similar vulnerabilities.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2025-20128: Medium Vulnerability in Cisco ClamAV