What are the specific CVE numbers and severity scores for these Comodo vulnerabilities?

Four vulnerabilities were discovered: CVE-2025-7096 (CVSS 9.2) for insufficient verification of data authenticity in update manifest files, CVE-2025-7097 (CVSS 9.2) for OS command execution through manifest file's exec tag, CVE-2025-7098 (CVSS 6.3) for path traversal enabling arbitrary file writes, and CVE-2025-7095 (CVSS 6.3) for improper certificate validation during update server connections.

How does the CVE-2025-7096 vulnerability work in Comodo Internet Security?

CVE-2025-7096 involves insufficient verification of data authenticity in update manifest files, leading to remote code execution with SYSTEM privileges. This means attackers can manipulate update manifests to execute malicious code with the highest level of system access.

What can attackers do with the CVE-2025-7097 command execution vulnerability?

CVE-2025-7097 allows OS command execution through the manifest file's 'exec' tag with SYSTEM privileges. The exec tag functionality, intended for legitimate update operations, can be weaponized to execute PowerShell payloads or other malicious commands directly with SYSTEM privileges, bypassing user account controls and leveraging Comodo's own trusted processes.

How does the path traversal vulnerability CVE-2025-7098 work?

CVE-2025-7098 is a path traversal vulnerability that enables arbitrary file writes, including placement of malicious files in the Windows startup folder for persistence. By manipulating the 'name' and 'folder' attributes in malicious update manifests, attackers can write files to arbitrary locations on the victim's system, including the Windows startup directory.

What is the certificate validation issue in CVE-2025-7095?

CVE-2025-7095 involves improper certificate validation during update server connections, allowing traffic redirection to attacker-controlled servers. The Comodo client does not check the SSL certificate of the server, which allows attackers to redirect traffic to a false update server under their control, for example with a DNS spoofing attack.

Are patches available for these Comodo Internet Security vulnerabilities?

The current patch status remains unclear, as Comodo has not yet released updates addressing these flaws. The researcher has contacted Comodo but has not received any feedback regarding when patches will be available.

Why are these Comodo vulnerabilities particularly concerning?

These vulnerabilities are particularly concerning because they affect antivirus software that users rely on for protection, they allow attackers to gain SYSTEM-level privileges, and they can be exploited through the trusted update mechanism. The fact that security software itself becomes a vector for compromise is especially problematic.

How do attackers exploit the update mechanism in Comodo Internet Security?

Attackers can exploit the update mechanism by manipulating update manifest files to execute malicious commands, write arbitrary files to the system, or redirect update traffic to malicious servers. The vulnerabilities allow them to abuse legitimate update functionality to compromise systems with SYSTEM privileges.

What privileges do attackers gain when exploiting these Comodo vulnerabilities?

Successful exploitation of CVE-2025-7096 and CVE-2025-7097 allows attackers to execute code with SYSTEM privileges, which is the highest level of access on Windows systems. This provides complete control over the compromised system and bypasses user account controls.

Can attackers establish persistence using these Comodo vulnerabilities?

Yes, the CVE-2025-7098 path traversal vulnerability enables attackers to write malicious files to the Windows startup folder, establishing persistence so their malware automatically runs when the system boots. This allows for long-term access to compromised systems.

What network-level protections can help mitigate these Comodo vulnerabilities?

Recommended network-level protections include implementing anti-ARP spoofing measures to prevent DNS redirection attacks, using firewall rules to restrict update server access only to official Comodo domains, and monitoring network traffic for suspicious update-related communications.

Are both free and premium versions of Comodo Internet Security affected?

Yes, while the vulnerabilities were confirmed in Comodo Internet Security Premium version 12.3.4.8162, the free Community Edition likely shares the same vulnerable code base for updates, making it equally susceptible to these attacks.

What should organizations using Comodo Internet Security do immediately?

Organizations should implement immediate network-level protections, monitor their systems for suspicious activity, consider temporarily restricting or monitoring update traffic, and prepare to apply patches as soon as they become available from Comodo. They should also evaluate alternative security solutions if patches are significantly delayed.

How do these vulnerabilities bypass Comodo's security mechanisms?

The vulnerabilities bypass security mechanisms by exploiting the trusted update process itself. Since the malicious code executes through Comodo's own legitimate processes with SYSTEM privileges, it bypasses user account controls and other security measures that would normally prevent unauthorized code execution.

What makes the exec tag vulnerability particularly dangerous?

The exec tag vulnerability (CVE-2025-7097) is particularly dangerous because it allows attackers to execute arbitrary commands with SYSTEM privileges through a feature intended for legitimate updates. This means attackers can run PowerShell scripts or other malicious commands with the highest level of system access while appearing to be part of normal Comodo operations.

What should users monitor to detect potential exploitation of these Comodo vulnerabilities?

Users should monitor network traffic for suspicious update-related communications, watch for unexpected outbound connections from Comodo processes, check for unauthorized files in the Windows startup folder, and monitor system logs for unusual SYSTEM-level process execution. Any unexpected behavior from Comodo processes should be investigated.

How severe is the overall security impact of these Comodo vulnerabilities?

The overall security impact is severe, with two vulnerabilities rated at CVSS 9.2 (critical severity). The combination of remote code execution with SYSTEM privileges, persistence mechanisms, and the ability to bypass security controls through trusted antivirus processes makes these vulnerabilities extremely dangerous for organizations and individual users relying on Comodo for protection.

Advisory

Multiple vulnerabilities in Comodo Internet Security 2025 enable system compromise

Q: What vulnerabilities were discovered in Comodo Internet Security 2025?

Security researchers discovered multiple critical vulnerabilities in Comodo Internet Security 2025 that allow attackers to bypass security mechanisms, execute malicious code with SYSTEM privileges, and establish persistent access to compromised systems. The vulnerabilities affect the antivirus software's update mechanism and file handling processes.

published: July 7, 2025

Take action: If you're using Comodo Internet Security, be aware it's vulnerable to a malicious update. If possible, hardcode Comodo's update servers to their well known confirmed IP addresses at your firewall and check for updates regularly. Even consider temporarily switching to an alternative antivirus solution.

Learn More

Security researchers have discovered multiple vulnerabilities in Comodo Internet Security 2025 that allow attackers to bypass security mechanisms, execute malicious code with SYSTEM privileges, and establish persistent access to compromised systems. The vulnerabilities affect the antivirus software's update mechanism and file handling processes.

The vulnerabilities are confirmed in Comodo Internet Security Premium version 12.3.4.8162, which was fully updated at the time of discovery. The free Community Edition likely shares the same vulnerable code base for updates, making it equally susceptible to these attacks.

Vulnerabilities summary:

CVE-2025-7096 (CVSS score 9.2) - Insufficient Verification of Data Authenticity in update manifest files, leading to remote code execution with SYSTEM privileges
CVE-2025-7097 (CVSS score 9.2) - OS command execution vulnerability allowing arbitrary command execution through the manifest file's "exec" tag with SYSTEM privileges. The manifest file's "exec" tag functionality, intended for legitimate update operations, can be weaponized to execute PowerShell payloads or other malicious commands directly with SYSTEM privileges. This bypasses user account controls and leverages Comodo's own trusted processes to run attacker-controlled code.
CVE-2025-7098 (CVSS score 6.3) - Path traversal vulnerability enabling arbitrary file writes, including placement of malicious files in the Windows startup folder for persistence. By manipulating the "name" and "folder" attributes in malicious update manifests, attackers can write files to arbitrary locations on the victim's system, including the Windows startup directory.
CVE-2025-7095 (CVSS score 6.3) - Improper certificate validation during update server connections, allowing traffic redirection to attacker-controlled servers. The Comodo client does not check the SSL certificate of the server, which allows attackers to redirect traffic to a false update server under their control, for example with a DNS spoofing attack.

The researcher has contacted Comodo, but has not received any feedback. The current patch status remains unclear, as Comodo has not yet released updates addressing these flaws. Users are advised to implement network-level protections including anti-ARP spoofing measures, restrict update server access to official Comodo domains through firewall rules, and monitor network traffic for suspicious update-related communications until patches become available.

Multiple vulnerabilities in Comodo Internet Security 2025 enable system compromise

Read More
Critical flaw reported in Apache HugeGraph-Server
Critical Wazuh Server vulnerability exploited by Mirai Botnet
SonicWall Gen 7 firewalls targeted with SSL VPN …
Version of Mirai botnet exploits vulnerability in Mitel …
Security rearchers discover old critical flaw still active …