CVE-2017-20201
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-08

Last updated on: 2025-10-14

Assigner: VulnCheck

Description
CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 (32-bit builds) contained a malicious pre-entry-point loader that diverts execution from __scrt_common_main_seh into a custom loader. That loader decodes an embedded blob into shellcode, allocates executable heap memory, resolves Windows API functions at runtime, and transfers execution to an in-memory payload. The payload performs anti-analysis checks, gathers host telemetry, encodes the data with a two-stage obfuscation, and attempts HTTPS exfiltration to hard-coded C2 servers or month-based DGA domains. Potential impacts include remote data collection and exfiltration, stealthy in-memory execution and persistence, and potential lateral movement. CCleaner was developed by Piriform, which was acquired by Avast in July 2017; Avast later merged with NortonLifeLock to form the parent company now known as Gen Digital. According to vendor advisories, the compromised CCleaner build was released on August 15, 2017 and remediated on September 12, 2017 with v5.34; the compromised CCleaner Cloud build was released on August 24, 2017 and remediated on September 15, 2017 with v1.07.3214.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-08
Last Modified
2025-10-14
Generated
2026-05-07
AI Q&A
2025-10-09
EPSS Evaluated
2026-05-05
NVD
CVE-2017-20201
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
piriform ccleaner_cloud 1.07.3191
piriform ccleaner 5.33.6162
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-506 The product contains code that appears to be malicious in nature.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability involves a malicious pre-entry-point loader in CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 (32-bit builds) that diverts execution to a custom loader. This loader decodes embedded shellcode, allocates executable memory, resolves Windows API functions at runtime, and executes an in-memory payload. The payload performs anti-analysis checks, collects host telemetry data, obfuscates it, and attempts to exfiltrate it via HTTPS to hard-coded command and control servers or dynamically generated domains. This allows stealthy execution, persistence, and potential lateral movement within affected systems.


How can this vulnerability impact me? :

The vulnerability can lead to remote data collection and exfiltration from the affected system, stealthy in-memory execution of malicious code, persistence of the malware on the system, and potential lateral movement to other systems within the network, thereby compromising system security and privacy.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, immediately update CCleaner to version 5.34 or later, and CCleaner Cloud to version 1.07.3214 or later, as these versions contain the remediation for the malicious loader issue.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart