CVE-2017-15643

HIGH

IKARUS Anti Virus 2.16.7 - Remote Code Execution via HTTP Update Response Manipulation

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-15643. PoCs published by SecuriTeam.

AI-analyzed exploit summary This exploit leverages a man-in-the-middle (MiTM) attack to intercept and modify HTTP update requests from Ikarus Anti Virus, allowing an attacker to replace the legitimate update executable with a malicious one. The PoC uses mitmproxy to manipulate the update version number and inject a custom executable, achieving remote code execution.

Description

An active network attacker (MiTM) can achieve remote code execution on a machine that runs IKARUS Anti Virus 2.16.7. IKARUS AV for Windows uses cleartext HTTP for updates along with a CRC32 checksum and an update value for verification of the downloaded files. The attacker first forces the client to initiate an update transaction by modifying an update field within an HTTP 200 response, so that it refers to a nonexistent update. The attacker then modifies the HTTP 404 response so that it specifies a successfully found update, with a Trojan horse executable file (e.g., guardxup.exe) and the correct CRC32 checksum for that file.

Exploits (1)

exploitdb WORKING POC

by SecuriTeam · remotewindows

https://www.exploit-db.com/exploits/44055

View Code ZIP pw:eip

This exploit leverages a man-in-the-middle (MiTM) attack to intercept and modify HTTP update requests from Ikarus Anti Virus, allowing an attacker to replace the legitimate update executable with a malicious one. The PoC uses mitmproxy to manipulate the update version number and inject a custom executable, achieving remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Ikarus Anti Virus version 2.16.7

No auth needed

Prerequisites: Network access to intercept HTTP traffic · mitmproxy installed · Victim system running Ikarus Anti Virus with automatic updates enabled

MITRE ATT&CK

T1189 - Drive-by Compromise T1557 - Adversary-in-the-Middle

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Technical Description, Third Party Advisory x_refsource_misc

https://blogs.securiteam.com/index.php/archives/3485

Vendor Advisory x_refsource_misc

https://www.ikarussecurity.com/about-ikarus/security-blog/vulnerability-in-windows-antivirus-products-ik-sa-2017-0001/

Scores

CVSS v3 7.4

EPSS 0.0614

EPSS Percentile 92.5%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-444

Status published

Products (1)

ikarussecurity/ikarus_antivirus 2.16.7

Published Oct 19, 2017

Tracked Since Feb 18, 2026