CVE-2019-15689

MEDIUM

Kaspersky Internet Security - Exposure to Wrong Actor

Title source: rule

Description

Kaspersky Secure Connection, Kaspersky Internet Security, Kaspersky Total Security, Kaspersky Security Cloud prior to version 2020 patch E have bug that allows a local user to execute arbitrary code via execution compromised file placed by an attacker with administrator rights. No privilege escalation. Possible whitelisting bypass some of the security products

References (3)

[Broken Link] https://support.kaspersky.com/general/vulnerability.aspx?el=12430#021219

[Exploit, Third Party Advisory] https://safebreach.com/Post/Kaspersky-Secure-Connection-DLL-Preloading-and-Potential-Abuses-CVE-2019-15689

[Third Party Advisory] https://www.symantec.com/security-center/vulnerabilities/writeup/111033

Scores

CVSS v3 6.7

EPSS 0.0006

EPSS Percentile 17.1%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-668

Status published

Affected Products (15)

kaspersky/kaspersky_internet_security

kaspersky/secure_connection

kaspersky/security_cloud

kaspersky/total_security

Timeline

Published Dec 02, 2019

Tracked Since Feb 18, 2026