Comodo Internet Security 2025 Vulnerabilities Allows Remote Code Execution System Privileges

A series of critical vulnerabilities have been discovered in Comodo Internet Security Premium (CISP) version 12.3.4.8162, potentially allowing remote attackers to execute arbitrary code with SYSTEM privileges.

The Vulnerabilities, disclosed under CVE-2025-7095, stem from improper certificate validation, insufficient data authenticity checks, and path traversal weaknesses in the update mechanism.

Security researchers have demonstrated that these vulnerabilities can be chained to deliver persistent malware and gain full control of victim systems, even bypassing Comodo’s own isolation mechanisms.

The root of the attack lies in Comodo’s failure to properly validate SSL certificates when connecting to its update server (download.comodo.com).

By default, Comodo Internet Security uses HTTPS for update checks but does not verify the authenticity of the server’s SSL certificate.

This oversight (CWE-295: Improper Certificate Validation) allows a threat actor to perform a DNS spoofing attack, redirecting update traffic to a malicious server under their control.

Attack Scenario:

• The attacker sets up a rogue HTTPS server with a self-signed certificate.
• Through DNS spoofing and ARP poisoning, the victim’s update requests are transparently redirected to the attacker’s server.
• Comodo accepts the connection without warning, failing to detect the invalid certificate.

This enables attackers to serve fake update packages to any user on the same network, with the victim none the wiser.

Remote Code Execution

Once the update traffic is hijacked, the attacker can exploit further weaknesses in the update process:

a. Insufficient Verification of Update Files (CWE-345):
Comodo Internet Security does not verify the authenticity or integrity of the update manifest file (cis_update_x64.xml). An attacker can craft a malicious manifest referencing arbitrary binaries or scripts.

b. OS Command Injection (CWE-77):
The manifest’s <exec> section allows arbitrary binaries to be executed with SYSTEM privileges. By inserting a reference to a malicious script (e.g., a PowerShell Meterpreter payload), the attacker gains remote code execution at the highest privilege level.

Demonstrated Impact:

• Malicious update packages can be delivered and executed as SYSTEM.
• Attackers can run post-exploitation tools like Mimikatz or hashdump to extract credentials and maintain persistence.
• Comodo’s process isolation is insufficient to contain the attack, as the malicious code inherits SYSTEM privileges.

Persistent Malware Installation

A further vulnerability arises from improper input sanitization in the update manifest:

a. Path Traversal in File and Folder Names (CWE-22):
The update process uses the name and folder attributes from the manifest to determine where files are written. By including path traversal sequences (e.g., ../../../../../), an attacker can write files anywhere on the system, including the Windows Startup directory.

b. Persistent Backdoors:
By placing a malicious batch file in the Startup folder, the attacker ensures their payload is executed every time the system reboots, allowing for persistent remote access.

Proof-of-Concept:
Researchers demonstrated that after a successful spoofed update, a malicious file was written to the Startup directory. Upon reboot, the attacker regained SYSTEM-level access without further user interaction.

These vulnerabilities in Comodo Internet Security Premium 2025 addressed a severe risk to users, especially in environments where attackers can manipulate network traffic. The vulnerabilities allow for full remote compromise of affected systems, persistent malware installation, and complete bypass of Comodo’s security controls.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.