CVE-2025-20128: 
Clam AntiVirus vulnerability analysis and mitigation

CVE-2025-20128 is a vulnerability in the Object Linking and Embedding 2 (OLE2) decryption routine of ClamAV, discovered in January 2025. The vulnerability affects ClamAV's file scanning functionality and impacts various Cisco Secure Endpoint Connector products. The flaw was discovered by Google OSS-Fuzz and received a CVSS base score of 5.3 (Medium) (Cisco Advisory, NVD).

The vulnerability is caused by an integer underflow in a bounds check that allows for a heap buffer overflow read in the OLE2 file parser. It has been classified as CWE-122 (Heap-based Buffer Overflow) and received a CVSS v3.1 score of 5.3 with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L. The flaw affects all ClamAV versions from 1.0.0 up to the patched versions 1.4.2 and 1.0.8 (ClamAV Blog, NVD).

A successful exploitation of this vulnerability could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition by terminating the ClamAV scanning process. While the scanning process can be disrupted, overall system stability is not affected. The impact primarily affects the ability to perform antivirus scanning operations (Cisco Advisory, Help Net Security).

Cisco has released software updates to address this vulnerability. Users should upgrade to ClamAV versions 1.4.2 or 1.0.8. For Cisco Secure Endpoint Connector, the following versions contain the fix: Windows (7.5.20 or 8.4.31), Linux (1.25.1), and macOS (1.24.4). There are no workarounds available for this vulnerability. Updated releases are available through the Cisco Secure Endpoint portal and will be automatically updated depending on the configured policy (Help Net Security, Cisco Advisory).