CVE-2024-7229 is a local privilege escalation vulnerability affecting Avast Cleanup Premium version 23.4 (build 15592). The root cause is improper link resolution before file access (CWE-59) in the Avast Cleanup Service component. Specifically, the service fails to securely handle symbolic links, allowing an attacker who already has low-level code execution privileges on the system to create a symbolic link that points to arbitrary files. When the service processes this link, it can be tricked into deleting or modifying files it should not, enabling the attacker to escalate privileges to SYSTEM level. This escalation allows execution of arbitrary code with the highest system privileges, compromising system confidentiality, integrity, and availability. The vulnerability requires local access and low-privileged code execution but does not require user interaction. The CVSS v3.0 score is 7.8, reflecting high severity due to the ease of exploitation once local code execution is achieved and the broad impact. No public exploits have been reported yet, but the vulnerability was tracked by ZDI as ZDI-CAN-22892. No patches are currently linked, so mitigation relies on access control and monitoring until a fix is released.

This vulnerability allows attackers who have already gained limited local access to escalate their privileges to SYSTEM level, effectively gaining full control over the affected system. This can lead to complete compromise of the system, including the ability to install persistent malware, access sensitive data, disable security controls, and disrupt system availability. For organizations, this can result in data breaches, operational disruption, and loss of trust. Because Avast Cleanup Premium is a popular system optimization tool used in both consumer and enterprise environments, the vulnerability could be exploited in targeted attacks or by malware to deepen system compromise. The requirement for initial low-privileged code execution limits remote exploitation but does not eliminate risk, especially in environments where endpoint security is weak or where attackers have already established footholds. The absence of known exploits in the wild currently reduces immediate risk but does not preclude future exploitation once details become widely known.

Until an official patch is released by Avast, organizations should implement strict local access controls to prevent untrusted users or processes from executing code on systems running the affected version of Avast Cleanup Premium. Employ application whitelisting and endpoint detection and response (EDR) tools to monitor for suspicious symbolic link creation or unusual file deletion activities by the Avast Cleanup Service. Restrict permissions on the Avast Cleanup Service executable and related files to minimize the ability of low-privileged users to manipulate them. Consider temporarily disabling or uninstalling Avast Cleanup Premium on critical systems if local threat actors are a concern. Maintain up-to-date backups to recover from potential destructive actions. Monitor vendor advisories closely and apply patches immediately once available. Conduct internal audits to detect any signs of exploitation or privilege escalation attempts related to this vulnerability.