Arbitrary Code Execution via Filename Manipulation in BitDefender GravityZone Installer

Arbitrary Code Execution via Filename Manipulation in BitDefender GravityZone Installer

CVE-2018-8955 · HIGH Severity

AV:N/AC:L/AU:N/C:P/I:P/A:P

The installer for BitDefender GravityZone relies on an encoded string in a filename to determine the URL for installation metadata, which allows remote attackers to execute arbitrary code by changing the filename while leaving the file's digital signature unchanged.

Learn more about our Web Application Penetration Testing UK.