CVE-2025-45095 identifies a security vulnerability in Lavasoft Web Companion (also known as Ad-Aware WebCompanion) versions 8.9.0.1091 through 12.1.3.1037. The issue is an unquoted service path vulnerability affecting the DCIService.exe Windows service. In Windows, if a service path contains spaces and is not enclosed in quotes, the operating system may interpret the path incorrectly, allowing an attacker to place a malicious executable in a higher-level directory in the path. When the service starts, Windows may execute the attacker's malicious executable instead of the legitimate service binary. This vulnerability requires the attacker to have write access to the file system locations in the service path, which could be achieved through local access or by exploiting other vulnerabilities that grant file system write permissions. Successful exploitation results in arbitrary code execution with SYSTEM-level privileges, effectively allowing privilege escalation. No CVSS score has been assigned yet, and no known exploits have been reported in the wild as of the publication date. The vulnerability is significant because it leverages a common misconfiguration in Windows services that can be exploited to gain elevated privileges. The lack of a patch link suggests that a fix may not yet be publicly available, emphasizing the need for interim mitigations. The vulnerability affects multiple versions of Lavasoft Web Companion, a product used for adware and malware protection, which is deployed on many endpoints worldwide.

For European organizations, this vulnerability poses a serious risk of privilege escalation and arbitrary code execution on affected endpoints. If exploited, attackers could gain SYSTEM-level access, allowing them to disable security controls, install persistent malware, or move laterally within the network. This could lead to data breaches, disruption of business operations, and compromise of sensitive information. Organizations with endpoints running affected versions of Lavasoft Web Companion are particularly vulnerable if endpoint security policies allow users or processes to write to service directories. The impact is heightened in sectors with critical infrastructure or sensitive data, such as finance, healthcare, and government. Although exploitation requires local file system write access, attackers could leverage other vulnerabilities or social engineering to gain this foothold. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, as attackers often develop exploits rapidly after disclosure. The vulnerability could also be used as part of a multi-stage attack chain, increasing its strategic value to threat actors targeting European entities.

To mitigate this vulnerability, organizations should first identify all endpoints running affected versions of Lavasoft Web Companion. Immediate steps include restricting write permissions on directories involved in the service path to prevent unauthorized file placement. Administrators should manually inspect the service path for DCIService.exe and ensure it is properly quoted to prevent misinterpretation by Windows. If possible, update or patch the software once a vendor fix is released. Until a patch is available, consider disabling the vulnerable service if it is not critical to operations or replacing the software with alternative security solutions. Employ endpoint protection solutions that monitor for unauthorized service modifications and suspicious executable placements. Regularly audit local user permissions to minimize the risk of unauthorized file system access. Additionally, educate users about the risks of downloading and executing untrusted files that could facilitate local access. Implement application whitelisting to prevent execution of unauthorized binaries in service directories. Finally, maintain robust incident detection capabilities to quickly identify any attempts to exploit this vulnerability.