Cisco has released security updates to address a vulnerability in ClamAV that allows attackers to trigger a Denial of Service (DoS) condition.
Designated as CVE-2025-20128, the vulnerability stems from a heap-based buffer overflow during the decoding of Object Linking and Embedding 2 (OLE2) data. An unauthenticated attacker can exploit this flaw to induce DoS conditions on vulnerable systems.
Successful exploitation of the vulnerability causes the ClamAV antivirus scanning process to crash, resulting in delays or the complete cessation of further scanning operations. Cisco clarified that the attack can be executed by simply submitting a file with malicious OLE2 content for scanning. While the process crash creates a DoS condition, the overall system stability remains unaffected.
The vulnerability impacts the Secure Endpoint Connector software, which operates on Linux, macOS, and Windows devices. This tool is designed to transfer logs and events from Cisco Secure Endpoint to SIEM systems.
Although Cisco has not observed instances of the vulnerability being exploited in the wild, the company confirmed the existence of publicly available proof-of-concept (PoC) code.
In October, IntelBroker claimed to have breached Cisco systems, gaining access to source code, certificates, credentials, confidential documents, encryption keys, and other sensitive materials. Among the leaked data were reportedly items tied to the products of major corporations.
In November, reports surfaced that since September, the Volt Typhoon hacking group has been actively targeting devices in Asia and building a new network of compromised systems. Their primary targets include Cisco RV320/325 and Netgear ProSafe devices. Over 37 days, Volt Typhoon managed to compromise nearly 30% of all internet-exposed Cisco RV320/325 devices. While the exact vulnerabilities exploited remain unclear, experts speculate that the issue stems from the lack of updates for outdated devices.
