Security researcher Lucas Laise from Quarkslab discovered a serious privilege escalation vulnerability in K7 Ultimate Security, an antivirus software from K7 Computing.
Low-privileged users can exploit permissive named pipes to modify registry keys and execute code as SYSTEM without prompting for User Account Control.
Initial tests targeted version 17.0.2045 from July 2025.
Installation revealed restricted actions for non-admins, including the ability to edit configurations.
Admins could enable a setting that allows non-admins to modify protections, such as real-time scans or exclusions, without UAC elevation.
Tools like PipeViewer identified SYSTEM-owned named pipes with broad access, including \.\pipe\K7TSMngrService1.
Interception via IoNinja during setting changes showed K7TSMain.exe sending binary payloads to the SYSTEM process K7TSMngr.exe over that pipe, triggering registry updates.
Attackers replay these packets using PowerShell to grant all users config access, disabling protections, or allowlisting malware.
Deeper manipulation exploited payload length checks. A registry value like AdminNonAdminIsValid resisted direct changes, but altering it to AdminNonAdminIsValie succeeded after decrementing a hex byte from B9 (185) to B8, matching the adjusted string length.
Full escalation used Image File Execution Options under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7TSHlpr.exe, setting a “Debugger” to launch a batch file as SYSTEM during a fake update, creating new admin accounts.
K7 released three patches, each of which was circumvented.
First added caller validation on the pipe, blocking direct scripts; bypassed via manual DLL injection into a new k7tsmngr.exe instance running as a low-priv user.
Second driver (K7Sentry.sys v22.0.0.70) protected that process; evaded by injecting into an unprotected K7 binary, such as K7QuervarCleaningTool.exe.
Reverse engineering revealed dual checks in K7TSMngr.exe: client path matching install directory, MD5 cache hit, or digital signature by “K7 Computing Pvt Ltd”.
K7Sentry hooked ZwOpenProcess/ZwOpenThread, protecting processes listed in HKLM\SYSTEM\CurrentControlSet\Services\K7Sentry\Config\VDefProtectedProcs (e.g., K7TSMNGR.EXE|L|K7RTSCAN.EXE|L|).
Processes starting with “k7” or “K7” outside the install path were not protected.
Disclosure began on August 25, 2025, with publication on December 2, after bypass notifications.
K7 plans ACL enforcement in a future major release; users should update immediately and audit named pipe access.
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…