Antivirus: Comodo Internet Security allows malicious code to be planted

The malware protection software from Comodo, more precisely Comodo Internet Security Premium, contains vulnerabilities that allow attackers to infiltrate and execute malicious code. The current patch status is unclear – it appears that the manufacturer does not yet have an update ready to close the gaps at the time of reporting.

The Comodo software has won some fans with the fact that the “Antivirus” version is available free of charge. An IT security researcher took a closer look at the somewhat larger commercial version Internet Security Premium 2025 – and discovered some hair-raising errors.

Comodo: Two critical security vulnerabilities

Comodo's update server stores metadata from binary files for software updates in the “cis_update_x64.xml” file. The client software does not check the authenticity and integrity of this file, so that attackers in a man-in-the-middle position –, for example through a DNS spoofing attack –, can use it to inject malicious scripts that run with SYSTEM rights. (CVE-2025-7096 / EUVD-2025-20153, CVSS 9.2, risk “critical”). This manifest file knows a tag “exec”, which allows the execution of binary files with parameters. Attackers can execute arbitrary commands to take control – with SYSTEM privileges (CVE-2025-7097 / EUVD-2025-20157, CVSS 9.2,Critical risk).

The Comodo software uses the value in the “name” and “folder” section as the download filename without further filtering. This allows attackers to abuse a path traversal vulnerability in the manifest file and use it to create a malicious file in the startup folder; this allows them to take over the machine after a reboot (CVE-2025-7098 / EUVD-2025-20155, CVSS 6.3, “medium” risk). The last vulnerability affects the connection to the update server “download.comodo.com”. The Comodo client does not check the SSL certificate of the server, which allows attackers to redirect traffic to a false update server under their control, for example with a DNS spoofing attack (CVE-2025-7095 / EUVD-2025-20154, CVSS 6.3, risk “medium”).

According to the complete analysis with proof-of-concept exploits, Comodo Internet Security Premium 12.3.4.8162 is impacted, which was vulnerable with all available updates at the time of documentation in mid-June. As the free antivirus software probably uses the same code for updates, it is also likely to be vulnerable. The IT researcher has contacted Comodo, but has not received any feedback.

A response to our inquiry is also still pending. It is likely that no updates are yet available to close the security gaps.

Please also read:

Topic page on virus scanners on heise online

Virus scanners often have vulnerabilities that make them more of a danger than a protection. In mid-June, for example, it became known that Trend Micro's virus protection was full of holes and thus endangered PCs.

(dmk)