CVE-2025-7095 # Comodo Internet Security Premium 12.3.4.8162 exposed to remote code execution attack with system privileges in danger.

Multiple critical vulnerabilities in Comodo Internet Security Premium 2025 allow attackers to execute remote code with SYSTEM privileges, completely compromising victim systems through malicious update packages. 
The vulnerabilities, collectively assigned CVE-2025-7095, affect version 12.3.4.8162 and were discovered by FPT IS Security researchers.
Improper Certificate Validation (CWE-295) Weakness Enumeration >>>
The primary vulnerability stems from improper certificate validation (CWE-295) in Comodo’s update mechanism. 
Despite using HTTPS connections to https://download.comodo.com/ for updates, the security software fails to validate SSL certificates, enabling attackers to redirect update traffic to malicious servers through DNS spoofing attacks.

Researchers demonstrated the attack using a Python script leveraging the Scapy library to perform DNS redirection. 
The attack requires positioning on the victim’s network to intercept DNS queries for download.comodo.com and redirect them to an attacker-controlled server at 192.168.58.192. 
The proof-of-concept code includes ARP spoofing commands like sudo arpspoof -i eth0 -t 10.10.14.4 -r 10.10.14.1 to establish the necessary network position.


Insufficient Verification of Data Authenticity (CWE-345)  >>>


The second critical flaw involves insufficient verification of data authenticity (CWE-345) in the update manifest file cis_update_x64.xml. 
Attackers can craft malicious manifest files containing an <exec> tag that executes arbitrary commands with SYSTEM privileges. 
The vulnerability allows execution of PowerShell payloads through parameters like:



This enables attackers to deliver Metasploit payloads, establishing persistent backdoors that bypass Comodo’s containerization technology. 
Researchers successfully demonstrated credential harvesting using hashdump and mimikatz modules, extracting Windows password hashes including Administrator accounts.



Path Traversal (CWE-22) >>>

A third vulnerability involves path traversal (CWE-22) in the update system’s file placement mechanism. 
Attackers can exploit the folder parameter in manifest files using directory traversal sequences like ../../../ProgramData/Microsoft/Windows/Start Menu/Programs/Startup/ to write malicious files directly to the Windows startup directory.

The attack places malicious batch files containing Base64-encoded PowerShell reverse shells in the startup folder, ensuring persistence across system reboots. 
The payload executes with user privileges initially but can escalate to SYSTEM using UAC bypass techniques like the bypassuac_sdclt module.
The vulnerabilities carry a CVSS 4.0 score of 6.3 (Medium severity), though the actual impact is severe due to the potential for complete system compromise. 

The attack complexity is rated as high, requiring network positioning for DNS spoofing, but successful exploitation results in full administrative control over target systems.
Comodo has not responded to vulnerability disclosure attempts. Users should implement network-level protections and monitor for suspicious update activities until patches are available.