CVE-2024-13990 (CNNVD-202509-3095)
中文标题:
MicroWorld eScan AV 安全漏洞
英文标题:
MicroWorld eScan AV Insecure Update Mechanism Allows Man-in-the-Middle Replacement of Updates
漏洞描述
中文描述:
MicroWorld eScan AV是印度MicroWorld公司的一款防范恶意软件的安全软件。 MicroWorld eScan AV存在安全漏洞,该漏洞源于更新机制未能确保更新包的真实性和完整性,可能导致中间人攻击和远程代码执行。
英文描述:
MicroWorld eScan AV's update mechanism failed to ensure authenticity and integrity of updates: update packages were delivered and accepted without robust cryptographic verification. As a result, an on-path attacker could perform a man-in-the-middle (MitM) attack and substitute malicious update payloads for legitimate ones. The eScan AV client accepted these substituted packages and executed or loaded their components (including sideloaded DLLs and Java/installer payloads), enabling remote code execution on affected systems. MicroWorld eScan confirmed remediation of the update mechanism on 2023-07-31 but versioning details are unavailable. NOTE: MicroWorld eScan disputes the characterization in third-party reports, stating the issue relates to 2018–2019 and that controls were implemented then.
CWE类型:
标签:
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| MicroWorld Technologies | eScan AV | * | - | - |
cpe:2.3:a:microworld_technologies:escan_av:*:*:*:*:*:*:*:*
|
解决方案
中文解决方案:
英文解决方案:
临时解决方案:
CVSS评分详情
4.0 (cna)
CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
时间信息
利用信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| CVE | cve_CVE-2024-13990 |
2025-11-11 15:22:22 | 2025-11-11 07:39:01 |
| NVD | nvd_CVE-2024-13990 |
2025-11-11 15:00:21 | 2025-11-11 07:47:03 |
| CNNVD | cnnvd_CNNVD-202509-3095 |
2025-11-11 15:12:58 | 2025-11-11 08:00:12 |
版本与语言
安全公告
变更历史
查看详细变更
- vulnerability_type: 未提取 -> 其他
- cnnvd_id: 未提取 -> CNNVD-202509-3095
- data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
查看详细变更
- data_sources: ['cve'] -> ['cve', 'nvd']