Cisco has released security updates to patch a ClamAV denial-of-service (DoS) vulnerability, which has proof-of-concept (PoC) exploit code.
Tracked as CVE-2025-20128, the vulnerability is caused by a heap-based buffer overflow weakness in the Object Linking and Embedding 2 (OLE2) decryption routine, allowing unauthenticated, remote attackers to trigger a DoS condition on vulnerable devices.
If this vulnerability is successfully exploited, it could cause the ClamAV antivirus scanning process to crash, preventing or delaying further scanning operations.
“An attacker could exploit this vulnerability by submitting a crafted file containing OLE2 content to be scanned by ClamAV on an affected device,” Cisco explained. “A successful exploit could allow the attacker to terminate the ClamAV scanning process, resulting in a DoS condition on the affected software.”
However, in an advisory issued today, the company noted that overall system stability would not be affected even after successful attacks.
The vulnerable products list includes the Secure Endpoint Connector software for Linux, Mac, and Windows-based platforms. This solution helps ingest Cisco Secure Endpoint audit logs and events into security information and event management (SIEM) systems like Microsoft Sentinel.
PoC exploit available, no active exploitation
While the Cisco Product Security Incident Response Team (PSIRT) said it has no evidence of in-the-wild exploitation, it added that CVE-2025-20128 exploit code is already available.
“The Cisco PSIRT is aware that proof-of-concept exploit code is available for the vulnerabilities that are described in this advisory,” Cisco PSIRT stated.
Today, the company also patched a Cisco BroadWorks DoS security flaw (CVE-2025-20165) and a critical severity privilege escalation vulnerability (CVE-2025-20156) in the Cisco Meeting Management REST API that lets hackers gain admin privileges on unpatched devices.
In October, it fixed another DoS security bug (CVE-2024-20481) in its Cisco ASA and Firepower Threat Defense (FTD) software, discovered during large-scale brute-force attacks against Cisco Secure Firewall VPN devices in April 2024.
One month later, it addressed a maximum severity vulnerability (CVE-2024-20418) that allows attackers to run commands with root privileges on vulnerable Ultra-Reliable Wireless Backhaul (URWB) industrial access points.
