Summary
A report of an arbitrary file deletion vulnerability (and, in extension, local privilege escalation vulnerability) was submitted to ESET by Sheikh Rishad. The vulnerability potentially allowed an attacker to misuse the installation file of ESET security products on Windows to delete an arbitrary file without having the permissions to do so.
Details
After pre-creating the target installation directory and setting certain redirects, the vulnerability in the ESET security product installer allowed an attacker with the ability to execute low-privileged code on the target system to delete an arbitrary file, thus escalating their privileges.
ESET fixed this possible attack vector and prepared new builds of its products that are no longer susceptible to this vulnerability (refer to Solution below).
Note that the vulnerability is present in the installation file rather than the installed security product itself – therefore, no risk stemming from this vulnerability applies once the ESET security product is installed and running on the system.
The CVE ID reserved for this vulnerability is CVE-2025-5028, with the CVSS v4.0 score 6.8 and the following CVSS v4.0 vector: AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
To the best of our knowledge, no exploits exist in the wild that exploit this vulnerability.
Solution
ESET prepared fixed installation files of its security products, which are available in the Download section of www.eset.com or via ESET Repository as well.
- ESET NOD32 Antivirus, ESET Internet Security, ESET Smart Security Premium, ESET Security Ultimate 18.2.14.0 and later
- ESET Endpoint Antivirus for Windows and ESET Endpoint Security for Windows 12.0.2058.0, 11.1.2062.0 and later from the respective version family
- ESET Small Business Security and ESET Safe Server 18.2.14.0 and later
ESET also published the fixed ESET Package Installer to ESET PROTECT and ESET PROTECT On-Prem, and therefore, both the Live Installer and All-in-one installer packages newly generated by customers in these consoles after July 2 and July 3, respectively, are no longer susceptible to this vulnerability.
Due to unforeseen circumstances, ESET had to temporarily revert the fixed version of ESET Package Installer and replace it with a previous version on August 13, 2025, therefore reintroducing CVE-2025-5028. On December 16 and December 3, a fixed version was published back to ESET PROTECT and ESET PROTECT On-prem, respectively, mitigating this vulnerability once again.
Affected products and versions
- ESET NOD32 Antivirus, ESET Internet Security, ESET Smart Security Premium, ESET Security Ultimate 18.1.13.0 and earlier
- ESET Endpoint Antivirus for Windows and ESET Endpoint Security for Windows 12.0.2049.0, 11.1.2059.0 and earlier from the respective version family (.exe installers only, not .msi)
- ESET Small Business Security and ESET Safe Server 18.1.13.0 and earlier
- Live Installer and All-in-one installer packages generated in ESET PROTECT and ESET PROTECT On-prem consoles on or before July 2 and July 3, respectively
Feedback & Support
If you have feedback or questions about this issue, use the ESET Security Forum or local ESET Technical Support.
Acknowledgement
ESET values the principles of coordinated disclosure within the security industry and would like to express our thanks to Sheikh Rishad.
Version log
- Version 1.2 (December 19, 2025): Updated information with the return of a fixed version of ESET Package Installer
- Version 1.1 (August 13, 2025): Added information about the revert of ESET Package Installer
- Version 1.0 (July 9, 2025): Initial version of this document
