CVE-2025-34109
BaseFortify
Publication date: 2025-07-15
Last updated on: 2025-07-15
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| panda_security | panda_global_protection | 16.1.2 |
| panda_security | panda_internet_security | 16.1.2 |
| panda_security | panda_antivirus_pro | 16.1.2 |
| panda_security | panda_small_business_protection | 16.1.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-427 | The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the PSEvents.exe process of multiple Panda Security 2016 products, which runs hourly with SYSTEM privileges. The process loads DLL files from a directory that users with low privileges can write to. Because the directory is writable by standard users and PSEvents.exe loads DLLs from there without proper validation, an attacker with low-level access can place a malicious DLL in that directory. When PSEvents.exe runs, it loads the malicious DLL, allowing the attacker to execute arbitrary code with SYSTEM-level privileges, effectively escalating their privileges on the system. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability allows an attacker who already has low-level access to a system to escalate their privileges to SYSTEM level, which is the highest privilege on Windows systems. With SYSTEM privileges, the attacker can execute arbitrary code, install malware, disable security controls, access sensitive data, and take full control of the affected machine. This can lead to complete compromise of the system and potentially the network it is connected to. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking if the directory where PSEvents.exe runs is writable by the USERS group and if it contains missing DLLs that could be replaced or if suspicious DLL files exist. Specifically, verify the permissions of the folder %ProgramData%\Panda Security\Panda Devices Agent\Downloads and its subdirectories to ensure USERS do not have write access. On Windows, you can use the command: icacls "%ProgramData%\Panda Security\Panda Devices Agent\Downloads" to check permissions. Additionally, check for the presence of unexpected DLL files in this directory. Monitoring for the hourly execution of PSEvents.exe with SYSTEM privileges and any DLL loading activity from the user-writable directory can also help detect exploitation attempts. [1, 2, 3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to apply the official hotfix released by Panda Security, which restricts the permissions of the folder %ProgramData%\Panda Security\Panda Devices Agent\Downloads to read-only for the USERS group, preventing unauthorized DLL modifications. After applying the hotfix, verify the folder permissions to ensure USERS do not have write access. Additionally, remove any suspicious DLL files from the directory. If the hotfix cannot be applied immediately, temporarily restrict write permissions on the affected directories to prevent unprivileged users from placing malicious DLLs. [1, 2]