Multiple Zero-Day Vulnerabilities in Antivirus and Endpoint Let Attackers Install Data Wipers

Or Yair of SafeBreach Labs recently discovered multiple security Zero-Day vulnerabilities that could be exploited by the threat actors to create next-generation wipers by converting the endpoint detection & response and antivirus products.

At the BlackHat Europe cybersecurity conference, the technical team presented the identified flaws that led to the EDR and AV exploits. 

The researcher was able to exploit the flaws discovered to delete arbitrary files and directories on the system as well as render the machine inoperable as a consequence.

Next-Generation Wiper Tool

Aikido is the wiper tool that has been developed by the Or Yair of SafeBreach Labs, and the purpose of this wiper is to defeat the opponent by using their own power against them.

As a consequence, this wiper can be run without being given privileges. In addition, it is also capable of wiping almost every file on a computer, including the system files, in order to make it completely unbootable and unusable.

EDRs are responsible for deleting malicious files in two main ways, depending on the following contexts:-

  • Time of threat identification
  • Time of threat deletion
Window Opportunity (Safebreach)

As soon as a malicious file is detected and the user attempts to delete it, the Aikido wiper takes advantage of a moment of opportunity. 

This wiper makes use of a feature in Windows allowing users to create junction point links (symlinks) regardless of the privileges of the users’ accounts, which is abused by this wiper.

A user who does not have the required permissions to delete system files (.sys) will not be able to delete those files according to Yair. By creating a decoy directory, he was able to trick the security product to delete the file instead of preventing it from being deleted. 

Likewise, he placed a string inside the group that resembled the path intended for deletion, for example, as follows:-

  • C:\temp\Windows\System32\drivers vs C:\Windows\System32\drivers

Qualities of the Aikido Wiper

Here below we have mentioned all the general qualities of the Aikido Wiper:-

  • Fully Undetectable
  • Makes the System Unbootable
  • Wipes Important Data
  • Runs as an Unprivileged User
  • Deletes the Quarantine Directory

Product analysis and response from the vendor

It was found that six out of 11 security products tested by Or Yair were vulnerable to this exploit. In short, over 50% of the products in this category that is tested are vulnerable.

Here below we have mentioned the vulnerable ones:-

  • Defender
  • Defender for Endpoint
  • SentinelOne EDR
  • TrendMicro Apex One
  • Avast Antivirus
  • AVG Antivirus

Here below we have mentioned the products that are not vulnerable:-

  • Palo Alto XDR
  • Cylance
  • CrowdStrike
  • McAfee
  • BitDefender

Between the months of July and August of this year, all the vulnerabilities have been reported to all the vendors that have been affected. There was no arbitrary file deletion achieved by the researcher in the case of Microsoft Defender and Microsoft Defender for Endpoint products.

In order to cope with the vulnerabilities, three of the vendors have issued the following CVEs:-

This exploit was also addressed by three of the software vendors by releasing updated versions of their software to address it:-

  • Microsoft Malware Protection Engine: 1.1.19700.2
  • TrendMicro Apex One: Hotfix 23573 & Patch_b11136
  • Avast & AVG Antivirus: 22.10

This type of vulnerability should be proactively tested by all EDR and antivirus vendors to ensure that their products are protected from similar attacks in the future.

For organizations using EDR and AV products, the researcher strongly recommends that they consult with their vendors for updates and patches immediately.

Secure Web Gateway – Web Filter Rules, Activity Tracking & Malware Protection – Download Free E-Book

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…

1 day ago

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code execution…

1 day ago

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…

1 day ago

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…

1 day ago

EU Targets Stark Industries in Cyberattack Sanctions Crackdown

The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…

2 days ago

Venice.ai’s Unrestricted Access Sparks Concerns Over AI-Driven Cyber Threats

Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…

2 days ago