Skip to main content

CVE-2025-34109: CWE-427 Uncontrolled Search Path Element in Panda Security Panda Global Protection 2016

High
VulnerabilityCVE-2025-34109cvecve-2025-34109cwe-427
Published: Tue Jul 15 2025 (07/15/2025, 13:04:59 UTC)
Source: CVE Database V5
Vendor/Project: Panda Security
Product: Panda Global Protection 2016

Description

PSEvents.exe in multiple Panda Security products runs hourly with SYSTEM privileges and loads DLL files from a user-writable directory without proper validation. An attacker with low-privileged access who can write DLL files to the monitored directory can achieve arbitrary code execution with SYSTEM privileges. Affected products include Panda Global Protection 2016, Panda Antivirus Pro 2016, Panda Small Business Protection, and Panda Internet Security 2016 (all versions up to 16.1.2).

AI-Powered Analysis

AILast updated: 07/22/2025, 20:39:13 UTC

Technical Analysis

CVE-2025-34109 is a high-severity vulnerability classified under CWE-427 (Uncontrolled Search Path Element) affecting multiple Panda Security products, including Panda Global Protection 2016, Panda Antivirus Pro 2016, Panda Small Business Protection, and Panda Internet Security 2016, specifically all versions up to 16.1.2. The vulnerability arises from the PSEvents.exe process, which runs hourly with SYSTEM privileges and loads DLL files from a directory that is writable by low-privileged users. Because the directory is user-writable and the DLL loading mechanism lacks proper validation or path restrictions, an attacker with low-level access can place a malicious DLL in this directory. When PSEvents.exe executes, it loads the attacker-controlled DLL with SYSTEM privileges, resulting in arbitrary code execution at the highest privilege level on the affected system. The vulnerability does not require user interaction and can be exploited remotely only if the attacker already has low-privileged access to the system, such as through a compromised user account or other means. The CVSS 4.0 score of 8.5 reflects the high impact on confidentiality, integrity, and availability, combined with relatively low attack complexity and no need for user interaction. No known exploits are currently reported in the wild, and no patches have been linked yet, indicating organizations must prioritize mitigation and monitoring. This vulnerability is critical because it allows privilege escalation from a low-privileged user to SYSTEM, potentially enabling full system compromise, lateral movement, and persistence within affected environments.

Potential Impact

For European organizations, this vulnerability poses a significant risk, especially in environments where Panda Security 2016 products are deployed. The ability for an attacker with low privileges to escalate to SYSTEM level can lead to complete system takeover, data theft, disruption of services, and deployment of ransomware or other malware. Sensitive data confidentiality and system integrity are at high risk, and availability can be impacted if attackers disable security controls or critical services. Organizations in sectors such as finance, healthcare, government, and critical infrastructure are particularly vulnerable due to the sensitive nature of their data and the potential for regulatory penalties under GDPR if breaches occur. The hourly execution of the vulnerable process increases the attack window, making timely detection and response critical. Additionally, the lack of patches means organizations must rely on compensating controls to reduce risk until official fixes are available.

Mitigation Recommendations

1. Immediately restrict write permissions on the directory from which PSEvents.exe loads DLLs to trusted administrators only, preventing low-privileged users from placing files there. 2. Employ application whitelisting or code integrity policies (e.g., Microsoft AppLocker or Windows Defender Application Control) to restrict execution of unauthorized DLLs. 3. Monitor the directory for unauthorized file creation or modification using file integrity monitoring tools and alert on suspicious activity. 4. Limit the number of users with local low-privileged access on systems running affected Panda products. 5. If possible, disable or restrict the PSEvents.exe process until a patch is available, understanding the operational impact. 6. Implement network segmentation and least privilege principles to reduce the ability of attackers to gain initial low-level access. 7. Regularly audit and update endpoint security products and stay alert for vendor patches or advisories addressing this vulnerability. 8. Conduct internal penetration testing and red team exercises to identify potential exploitation paths related to this vulnerability.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
VulnCheck
Date Reserved
2025-04-15T19:15:22.560Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 687654a5a83201eaaccea519

Added to database: 7/15/2025, 1:16:21 PM

Last enriched: 7/22/2025, 8:39:13 PM

Last updated: 8/8/2025, 6:21:43 PM

Views: 18

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats