Exploitation for Priv-Esc × ESET Endpoint Antivirus

A publicly-reported instance of Exploitation for Priv-Esc bypassing ESET Endpoint Antivirus, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

ESET Endpoint Antivirus

Technique

Exploitation for Priv-Esc

MITRE ATT&CK

T1068

Confidence

High

Severity

Low

Status

unknown

Disclosed

2024-01-31

Config / version noted

Not stated

Provenance

securityvulnerability.io
disclosed 2024-01-31 · original source · via exa
securityvulnerability.io
disclosed 2024-02-15 · original source · via exa

Reported as

CVE-2023-7043 is a low-severity unquoted service path vulnerability in multiple ESET products for Windows.

Mechanism

The vulnerability arises from an unquoted service path in ESET products. When the service path contains spaces and is not quoted, Windows may interpret the path ambiguously, allowing an attacker to place a malicious executable in a parent directory that gets executed instead of the intended binary. The attacker must drop a prepared program to a specific location, and it runs on boot with NT AUTHORITY\NetworkService permissions.

Detection & mitigation

Monitor for unexpected child processes of services running with NetworkService or higher privileges, especially from paths with spaces that are not properly quoted. Mitigation: Apply vendor patch and audit service configurations for unquoted service paths using tools like Microsoft's SC or PowerShell to ensure all paths are quoted.

Exploitation for Priv-Esc has also been recorded against

Apple Atlassian Bitdefender Broadcom (Symantec)Comodo Security ConnectWise CrowdStrike Elastic F5 Fortinet Google HitmanPro

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.