CVE-2024-7232 is a local privilege escalation vulnerability identified in Avast Free Antivirus version 23.12.6094, caused by improper link resolution before file access (CWE-59) within the Avast Service component. The vulnerability allows an attacker who already has the ability to execute low-privileged code on the system to create symbolic links that the Avast Service follows incorrectly. This improper handling enables the attacker to manipulate the service into deleting arbitrary folders, which can be leveraged to escalate privileges to SYSTEM level. The core issue is that the Avast Service does not securely validate symbolic links before performing file system operations, leading to a classic 'link following' attack. Once escalated, the attacker can execute arbitrary code with the highest system privileges, compromising confidentiality, integrity, and availability of the affected system. The vulnerability does not require user interaction but does require local access with limited code execution capabilities. The CVSS v3.0 score of 7.8 reflects high severity due to the ease of exploitation after initial access and the critical impact on system security. No patches or fixes have been released at the time of this report, and no active exploitation has been observed in the wild. This vulnerability was tracked as ZDI-CAN-22963 by the Zero Day Initiative.

The primary impact of CVE-2024-7232 is the potential for local attackers to escalate privileges from a low-privileged user to SYSTEM level on Windows systems running the vulnerable Avast Free Antivirus version. This escalation can lead to full system compromise, allowing attackers to install persistent malware, disable security controls, access sensitive data, or disrupt system availability. Organizations relying on Avast Free Antivirus for endpoint protection may find their defenses undermined if attackers exploit this flaw. The vulnerability is particularly dangerous in environments where users have limited privileges but can execute code, such as shared workstations, developer machines, or systems with exposed local user accounts. The absence of required user interaction and the high impact on confidentiality, integrity, and availability make this a critical concern for enterprise environments. Although no known exploits are currently active, the vulnerability’s public disclosure increases the risk of future exploitation attempts. Failure to address this vulnerability could lead to significant operational disruptions, data breaches, and compliance violations.

To mitigate CVE-2024-7232, organizations should first verify if they are running the affected Avast Free Antivirus version 23.12.6094 (build 23.12.8700.813) and plan to upgrade to a patched version as soon as it becomes available from Avast. Until a patch is released, restrict local user permissions to prevent unauthorized code execution, as initial low-privileged code execution is required for exploitation. Employ application whitelisting and endpoint detection and response (EDR) solutions to monitor and block suspicious symbolic link creation or unusual file system operations by the Avast Service or other processes. Regularly audit and harden file system permissions to limit the ability of low-privileged users to create symbolic links in sensitive directories. Additionally, monitor logs for anomalous deletion activities or privilege escalation attempts related to Avast processes. Coordinate with Avast support or security advisories for timely updates and guidance. Finally, educate users about the risks of executing untrusted code locally to reduce the attack surface.