Bitdefender GravityZone: Critical security vulnerability puts users at risk
The business malware protection GravityZone from Bitdefender has a critical security vulnerability. Updates are available.
(Image: Bild erstellt mit KI / Bing Designer durch heise online / dmk)
Bitdefender's virus protection for the business environment, GravityZone, is affected by vulnerabilities, one of which is even considered a critical security risk. The console used for administration and the update service are affected.
Bitdefender has issued a security advisory warning about the critical vulnerability in the GravityZone Console. According to this, the function sendMailFromRemoteSource in "Emails.php" uses the PHP function unserialize() on user-supplied data without further checks. Carefully prepared data can be used to inject PHP objects, write files and ultimately execute arbitrary commands on the host system (CVE-2025-2244, CVSS 9.5, risk"critical").
Further vulnerabilities in GravityZone
Attackers can also abuse server-side request forgery (SSRF) in the GravityZone console to bypass content verification mechanisms. This is achieved with manipulated DNS queries with initial special characters when the GravityZone console is running in relay mode. This results in foreign code being executed if this is linked to other vulnerabilities (CVE-2025-2243, CVSS 6.9, risk"medium").
In addition to the Console, Bitdefender's GravityZone Update Server is also affected by a vulnerability, as the company writes in a further security announcement. Here, too, the problem is an SSRF vulnerability that can occur in connection with the relay mode. The HTTP proxy module, which listens on port 7074, relies on a domain allow list to restrict outgoing requests. If hostnames contain a null byte (%00), the check can be disrupted. Manipulated requests in the form www.boese-domain.com%00bitdefender.com can be used to bypass the allow list checks and send requests to arbitrary systems (CVE-2025-2245, CVSS 6.9, risk"high").
The update to Bitdefender GravityZone Console 6.41.2-1 is intended to correct the security-relevant errors. The bug-fixed version of the GravityZone Update Server is 3.5.2.689 or newer. Bitdefender states that this is usually done automatically. Nevertheless, admins should check whether they are already on this or a newer version.
(dmk)