CVE-2024-13990
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-19

Last updated on: 2025-09-22

Assigner: VulnCheck

Description
MicroWorld eScan AV's update mechanism failed to ensure authenticity and integrity of updates: update packages were delivered and accepted without robust cryptographic verification. As a result, an on-path attacker could perform a man-in-the-middle (MitM) attack and substitute malicious update payloads for legitimate ones. The eScan AV client accepted these substituted packages and executed or loaded their components (including sideloaded DLLs and Java/installer payloads), enabling remote code execution on affected systems. MicroWorld eScan confirmed remediation of the update mechanism on 2023-07-31 but versioning details are unavailable. NOTE: MicroWorld eScan disputes the characterization in third-party reports, stating the issue relates to 2018–2019 and that controls were implemented then.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-19
Last Modified
2025-09-22
Generated
2026-05-07
AI Q&A
2025-09-19
EPSS Evaluated
2026-05-05
NVD
CVE-2024-13990
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
microworld escan *
xmrig xmrig *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-347 The product does not verify, or incorrectly verifies, the cryptographic signature for data.
CWE-295 The product does not validate, or incorrectly validates, a certificate.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2024-13990 is a critical vulnerability in the update mechanism of MicroWorld eScan Antivirus. The update process failed to ensure the authenticity and integrity of update packages, lacking robust cryptographic verification and HTTPS protection. This allowed an attacker performing a man-in-the-middle (MitM) attack to intercept and replace legitimate update files with malicious ones. The eScan client would accept and execute these malicious updates, including sideloaded DLLs and installer payloads, enabling remote code execution on affected systems. The vulnerability was exploited by a sophisticated malware campaign named GuptiMiner, which deployed backdoors and cryptocurrency miners through this attack vector. The issue was fixed by eScan on July 31, 2023, after being active since at least 2018. [2, 4, 5, 6, 7]


How can this vulnerability impact me? :

This vulnerability can have severe impacts including remote code execution on affected systems without requiring any privileges or user interaction. Attackers can replace legitimate antivirus updates with malicious payloads that install backdoors, allowing persistent unauthorized access, lateral movement within networks, and theft of sensitive data such as private keys and cryptocurrency wallets. Additionally, the malware campaign deployed cryptocurrency miners (XMRig), which consume system resources and may serve as a distraction from more damaging espionage activities. The infection chain involves advanced evasion techniques, making detection and remediation challenging. Organizations using vulnerable versions of eScan antivirus are at risk of compromise, especially large corporate networks. [3, 4, 5, 6, 7]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

Detection of this vulnerability involves identifying signs of the GuptiMiner malware infection and suspicious activity related to eScan antivirus update processes. Indicators include presence of malicious DLLs such as 'version.dll' or 'updll62.dlz' loaded by eScan binaries, unusual network DNS queries to attacker-controlled DNS servers, and execution of shellcode from PNG files. Detection can also focus on monitoring for the creation of mutexes like 'Mutex_ONLY_ME_V1', injection into services.exe process, and presence of backdoors or cryptocurrency mining activity (XMRig). Since the malware uses custom DNS servers and unusual DNS TXT record queries, network monitoring tools can be used to detect anomalous DNS traffic. Additionally, running reputable antivirus or endpoint detection and response (EDR) tools updated with signatures for GuptiMiner can help detect infections. Specific commands are not detailed in the resources, but general approaches include scanning for suspicious DLLs in eScan directories, monitoring network DNS requests, and checking running processes for injected code or known malware components. [3, 4, 5, 6, 7]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include: 1) Updating eScan antivirus to the latest version released after July 31, 2023, which contains the fixed update mechanism with HTTPS and cryptographic verification; 2) Ensuring that updates are only obtained from the official eScan AV update site and discontinuing use of partner CDNs or unofficial sources; 3) Shifting update mechanisms to HTTPS-based downloads to prevent MitM attacks; 4) Running comprehensive scans with updated antivirus solutions capable of detecting and removing GuptiMiner and related malware; 5) Monitoring and blocking suspicious network traffic, especially DNS queries to unknown or attacker-controlled servers; 6) Applying general endpoint security best practices such as disabling legacy or vulnerable Windows versions targeted by the malware (e.g., Windows 7, Windows Server 2008) and ensuring system patches are current. eScan has also sinkholed the update server and implemented stringent security controls since 2019, so following vendor guidance and maintaining updated security infrastructure is critical. [1, 2, 3, 4, 5, 6, 7]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart