CVE-2025-26125: Local Privilege Escalation in IObit Malware Fighter
Published: March 17, 2025
Severity: Medium (CVSS 6.8)
Affected Product: IObit Malware Fighter v12.1.0
CVE Identifier: CVE-2025-26125
PoC Repository: https://github.com/ZeroMemoryEx/CVE-2025-26125
Overview
CVE-2025-26125 is a vulnerability identified in IObit Malware Fighter v12.1.0, a popular security software. The issue arises from an exposed IOCTL in the IMFForceDelete driver, which allows unprivileged users to arbitrarily delete files and folders. This vulnerability can be leveraged to escalate privileges to NT AUTHORITY\SYSTEM, granting full system access. 7
Technical Details
756-1The IMFForceDelete driver exposes an IOCTL interface without sufficient access controls, permitting unprivileged users to delete arbitrary files. 756-2Attackers can exploit this by deleting and recreating files with weak Discretionary Access Control Lists (DACLs) and manipulating the Windows Installer (MSI) rollback mechanism. 756-3This process involves creating fake RBF and RBS files, ultimately enabling the attacker to gain SYSTEM-level privileges. 18
Proof of Concept
1252-1A proof of concept (PoC) demonstrating this vulnerability is available on GitHub. 1252-2The repository provides a detailed walkthrough of the exploitation process, including code and instructions. 26
Mitigation
1489-1IObit has not yet released an official patch for this vulnerability. 1489-2Users are advised to monitor IObit's official channels for updates. 1489-3As a precautionary measure, consider uninstalling IObit Malware Fighter or using alternative security solutions until a fix is provided. 36
References
Support Crack-Vault and help us keep providing free tools. Every donation counts!
(BTC) Address: bc1qhhva8uplmkaa3kkwxnux9t3y6l6kmhnwqzktzn
