ClamAV VirusEvent: When the Antivirus Becomes the Virus
Jan 1, 2026·5 min read·48 visits
Executive Summary (TL;DR)
ClamAV's configuration allows admins to run a command when a virus is found. By failing to sanitize the filename placeholder (%f) before passing it to 'sh -c', the engine executes any shell commands embedded in the name of the infected file. It's a 1990s-style vulnerability in a 2024 security product.
A classic OS Command Injection vulnerability in ClamAV's 'VirusEvent' feature allows local attackers to execute arbitrary code by simply naming a file with malicious shell characters.
Fix Analysis (1)
Technical Appendix
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:LAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
ClamAV Cisco | 1.2.0 - 1.2.1 | 1.2.2 |
ClamAV Cisco | 1.0.0 - 1.0.4 | 1.0.5 |
ClamAV Cisco | <= 0.105.x | 1.0.5 |
| Attribute | Detail |
|---|---|
| CWE | CWE-78 (OS Command Injection) |
| Attack Vector | Local (potentially Remote via file upload) |
| CVSS v3.1 | 5.3 (Medium) |
| Impact | Arbitrary Code Execution / Privilege Escalation |
| Vulnerable Component | clamd daemon (VirusEvent) |
| Exploit Status | Proof of Concept Available |
MITRE ATT&CK Mapping
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Known Exploits & Detection
Vulnerability Timeline
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.