Vulnerability type:

• CWE-386: Symbolic Name not Mapping to Correct Object

Identifier (ID): BDU:2024-07485

Vulnerability vector:

• Base vulnerability score (CVSSv3.1): CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
• Severity (CVSSv3.1): 7.8 (high)
• Base vulnerability score (CVSSv4.0): CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
• Severity (CVSSv4.0): 8.5 (high)

Description:

The vulnerability was identified in the following products:

• ESET NOD32 Antivirus, ESET Internet Security, ESET Smart Security Premium, ESET Security Ultimate
• ESET Small Business Security and ESET Safe Server
• ESET Endpoint Antivirus and ESET Endpoint Security for Windows
• ESET Server Security for Windows Server (formerly File Security for Microsoft Windows Server)
• ESET Mail Security for Microsoft Exchange Server
• ESET Mail Security for IBM Domino
• ESET Security for Microsoft SharePoint Server
• ESET File Security for Microsoft Azure

The discovered vulnerability can be exploited by an attacker to locally escalate privileges on a system running an ESET product by deleting arbitrary files.

Vulnerability status: Confirmed by vendor

Date of vulnerability remediation: 20.09.2024

Recommendations:

The fix for the vulnerability was released in the Cleaner module 1251.
It was distributed and applied automatically. 
The versions of the installed modules can be checked via Instrution by ESET.

Additional information: Security Advisory

Researcher: Dmitry Zuzlov (Positive Technologies)