CVE-2025-45095

HIGH

Lavasoft Web Companion <12.1.3.1037 - Code Injection

Title source: llm

Description

Lavasoft Web Companion (also known as Ad-Aware WebCompanion) versions 8.9.0.1091 through 12.1.3.1037 installs the DCIService.exe service with an unquoted service path vulnerability. An attacker with write access to the file system could potentially execute arbitrary code with elevated privileges by placing a malicious executable in the unquoted path.

References (1)

Core 1

Core References

Various Sources

https://gist.github.com/T4rantell/cd73592950c4ac700b40cc8e8e36494d

Scores

CVSS v3 7.3

EPSS 0.0027

EPSS Percentile 18.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-284

Status published

Published Oct 09, 2025

Tracked Since Feb 18, 2026