Table of Contents
The flaw could allow remote attackers to shut down ClamAV scanning and compromise critical security workflows.
Cisco has patched a denial-of-service (DoS) vulnerability affecting its open-source antivirus software toolkit, ClamAV, which already has a proof-of-concept (PoC) exploit code available to the public.
Identified as CVE-2025-20128, the vulnerability stems from a heap-based buffer overflow in the Object Linking and Embedding 2 (OLE2) decryption routine, enabling unauthenticated remote attackers to cause a DoS condition on affected devices.
“This vulnerability is due to an integer underflow in a bounds check that allows for a heap buffer overflow read,” Cisco said in an advisory. “A successful exploit could allow the attacker to terminate the ClamAV scanning process, resulting in a DoS condition on the affected software.”
However, the company noted that the overall system stability remains intact despite the successful exploitation of the flaw.
The flaw could shut down AV scanning
The flaw, despite being a medium severity issue, could compromise critical scanning processes for ClamAV users who use it for a range of protection including email scanning, web filtering, and endpoint security.
“An attacker could exploit this vulnerability by submitting a crafted file containing OLE2 content to be scanned by ClamAV on an affected device,” the advisory added. “The Cisco PSIRT is aware that proof-of-concept exploit code is available for the vulnerability.”
Affected Cisco software platforms include Secure Endpoint Connector for Linux, Secure Endpoint Connector for Mac, Secure Endpoint Connector for Windows, and Secure Endpoint Private Cloud.
Cisco confirmed the vulnerability does not affect its “Secure Email Gateway” and “Secure Web Appliances” products, two Cisco solutions for email and web-based threats that ClamAV integrates with for comprehensive support.
Patching is the only workaround
In a separate ClamAV blog, the Cisco team provided details of the security patches released to address this flaw. The patch rollout includes ClamAV release 1.4.2 and ClamAV release 1.0.8, both available for download on the ClamAV downloads page, Github release page, and through Docker Hub.
Patching their affected software is the only option for users as the company said there are no workarounds that address this vulnerability.
The company said in the advisory that it is not aware of any active exploitation of the vulnerability, and credited Google’s fuzzing team, OSS-Fuzz, for reporting it. Cisco’s anti-malware toolkit has encountered its second denial-of-service (DoS) vulnerability within a year. The first, identified in February 2024, allowed much similar sabotage but was rated more severe than the current flaw.
