Security researcher Lucas Laise from Quarkslab discovered a serious privilege escalation vulnerability in K7 Ultimate Security, an antivirus software from K7 Computing.
Low-privileged users can exploit permissive named pipes to modify registry keys and execute code as SYSTEM without prompting for User Account Control.
Initial tests targeted version 17.0.2045 from July 2025.
Discovery and Exploitation
Installation revealed restricted actions for non-admins, including the ability to edit configurations.
Admins could enable a setting that allows non-admins to modify protections, such as real-time scans or exclusions, without UAC elevation.
Tools like PipeViewer identified SYSTEM-owned named pipes with broad access, including \.\pipe\K7TSMngrService1.
Interception via IoNinja during setting changes showed K7TSMain.exe sending binary payloads to the SYSTEM process K7TSMngr.exe over that pipe, triggering registry updates.
Attackers replay these packets using PowerShell to grant all users config access, disabling protections, or allowlisting malware.
Deeper manipulation exploited payload length checks. A registry value like AdminNonAdminIsValid resisted direct changes, but altering it to AdminNonAdminIsValie succeeded after decrementing a hex byte from B9 (185) to B8, matching the adjusted string length.
Full escalation used Image File Execution Options under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7TSHlpr.exe, setting a “Debugger” to launch a batch file as SYSTEM during a fake update, creating new admin accounts.
Patch Bypasses and Root Analysis
K7 released three patches, each of which was circumvented.
First added caller validation on the pipe, blocking direct scripts; bypassed via manual DLL injection into a new k7tsmngr.exe instance running as a low-priv user.
Second driver (K7Sentry.sys v22.0.0.70) protected that process; evaded by injecting into an unprotected K7 binary, such as K7QuervarCleaningTool.exe.
Reverse engineering revealed dual checks in K7TSMngr.exe: client path matching install directory, MD5 cache hit, or digital signature by “K7 Computing Pvt Ltd”.
K7Sentry hooked ZwOpenProcess/ZwOpenThread, protecting processes listed in HKLM\SYSTEM\CurrentControlSet\Services\K7Sentry\Config\VDefProtectedProcs (e.g., K7TSMNGR.EXE|L|K7RTSCAN.EXE|L|).
Processes starting with “k7” or “K7” outside the install path were not protected.
Disclosure began on August 25, 2025, with publication on December 2, after bypass notifications.
K7 plans ACL enforcement in a future major release; users should update immediately and audit named pipe access.
