CVE-2024-20328
5.30.04%
ClamAV VirusEvent: When the Antivirus Becomes the Virus
Amit Schendel
Senior Security ResearcherJan 1, 2026·5 min read·69 visits
PoC Available
Executive Summary (TL;DR)
ClamAV's configuration allows admins to run a command when a virus is found. By failing to sanitize the filename placeholder (%f) before passing it to 'sh -c', the engine executes any shell commands embedded in the name of the infected file. It's a 1990s-style vulnerability in a 2024 security product.
A classic OS Command Injection vulnerability in ClamAV's 'VirusEvent' feature allows local attackers to execute arbitrary code by simply naming a file with malicious shell characters.
Fix Analysis (1)
Technical Appendix
CVSS Score
5.3/ 10
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:LEPSS Probability
0.04%
Top 100% most exploited
Affected Systems
Cisco ClamAV 1.2.0 - 1.2.1Cisco ClamAV 1.1.x (all versions)Cisco ClamAV 1.0.0 - 1.0.4Cisco ClamAV 0.104.xCisco ClamAV 0.105.x
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
ClamAV Cisco | 1.2.0 - 1.2.1 | 1.2.2 |
ClamAV Cisco | 1.0.0 - 1.0.4 | 1.0.5 |
ClamAV Cisco | <= 0.105.x | 1.0.5 |
| Attribute | Detail |
|---|---|
| CWE | CWE-78 (OS Command Injection) |
| Attack Vector | Local (potentially Remote via file upload) |
| CVSS v3.1 | 5.3 (Medium) |
| Impact | Arbitrary Code Execution / Privilege Escalation |
| Vulnerable Component | clamd daemon (VirusEvent) |
| Exploit Status | Proof of Concept Available |
MITRE ATT&CK Mapping
CWE-78
OS Command Injection
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Known Exploits & Detection
Vulnerability Timeline
Advisory Published by Cisco
2024-01-15
Fixed Versions Released (1.3.0, 1.2.2, 1.0.5)
2024-01-15
PoC Details Publicly Circulated
2024-02-01