Multiple Zero-Day Vulnerabilities in Antivirus and Endpoint Let Attackers Install Data Wipers

Or Yair of SafeBreach Labs recently discovered multiple security Zero-Day vulnerabilities that could be exploited by the threat actors to create next-generation wipers by converting the endpoint detection & response and antivirus products.

At the BlackHat Europe cybersecurity conference, the technical team presented the identified flaws that led to the EDR and AV exploits. 

The researcher was able to exploit the flaws discovered to delete arbitrary files and directories on the system as well as render the machine inoperable as a consequence.

Next-Generation Wiper Tool

Aikido is the wiper tool that has been developed by the Or Yair of SafeBreach Labs, and the purpose of this wiper is to defeat the opponent by using their own power against them.

As a consequence, this wiper can be run without being given privileges. In addition, it is also capable of wiping almost every file on a computer, including the system files, in order to make it completely unbootable and unusable.

EDRs are responsible for deleting malicious files in two main ways, depending on the following contexts:-

  • Time of threat identification
  • Time of threat deletion
Window Opportunity (Safebreach)

As soon as a malicious file is detected and the user attempts to delete it, the Aikido wiper takes advantage of a moment of opportunity. 

This wiper makes use of a feature in Windows allowing users to create junction point links (symlinks) regardless of the privileges of the users’ accounts, which is abused by this wiper.

A user who does not have the required permissions to delete system files (.sys) will not be able to delete those files according to Yair. By creating a decoy directory, he was able to trick the security product to delete the file instead of preventing it from being deleted. 

Likewise, he placed a string inside the group that resembled the path intended for deletion, for example, as follows:-

  • C:\temp\Windows\System32\drivers vs C:\Windows\System32\drivers

Qualities of the Aikido Wiper

Here below we have mentioned all the general qualities of the Aikido Wiper:-

  • Fully Undetectable
  • Makes the System Unbootable
  • Wipes Important Data
  • Runs as an Unprivileged User
  • Deletes the Quarantine Directory

Product analysis and response from the vendor

It was found that six out of 11 security products tested by Or Yair were vulnerable to this exploit. In short, over 50% of the products in this category that is tested are vulnerable.

Here below we have mentioned the vulnerable ones:-

  • Defender
  • Defender for Endpoint
  • SentinelOne EDR
  • TrendMicro Apex One
  • Avast Antivirus
  • AVG Antivirus

Here below we have mentioned the products that are not vulnerable:-

  • Palo Alto XDR
  • Cylance
  • CrowdStrike
  • McAfee
  • BitDefender

Between the months of July and August of this year, all the vulnerabilities have been reported to all the vendors that have been affected. There was no arbitrary file deletion achieved by the researcher in the case of Microsoft Defender and Microsoft Defender for Endpoint products.

In order to cope with the vulnerabilities, three of the vendors have issued the following CVEs:-

This exploit was also addressed by three of the software vendors by releasing updated versions of their software to address it:-

  • Microsoft Malware Protection Engine: 1.1.19700.2
  • TrendMicro Apex One: Hotfix 23573 & Patch_b11136
  • Avast & AVG Antivirus: 22.10

This type of vulnerability should be proactively tested by all EDR and antivirus vendors to ensure that their products are protected from similar attacks in the future.

For organizations using EDR and AV products, the researcher strongly recommends that they consult with their vendors for updates and patches immediately.

Secure Web Gateway – Web Filter Rules, Activity Tracking & Malware Protection – Download Free E-Book

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector emerged…

3 hours ago

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its attacks…

3 hours ago

SpyCloud Analysis Reveals 94% of Fortune 50 Companies Have Employee Data Exposed in Phishing Attacks

SpyCloud, the leading identity threat protection company, today released an analysis of nearly 6 million…

4 hours ago

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect servers…

5 hours ago

Healthcare Sector Becomes a Major Target for Cyber Attacks in 2025

The healthcare sector has emerged as a prime target for cyber attackers, driven by the…

5 hours ago

SysAid ITSM Vulnerabilities Enables Pre-Auth Remote Command Execution

Security researchers have disclosed a chain of critical vulnerabilities affecting SysAid ITSM’s On-Premise solution, enabling…

6 hours ago