Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
2 vulnerabilities by Piriform
CVE-2017-20201 (GCVE-0-2017-20201)
Vulnerability from cvelistv5 – Published: 2025-10-08 22:04 – Updated: 2025-11-21 14:11 X_Known Exploited Vulnerability
VLAI
Title
CCleaner v5.33.6162 & CCleaner Cloud v1.07.3191 Malicious Backdoor Supply Chain Compromise
Summary
CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 (32-bit builds) contained a malicious pre-entry-point loader that diverts execution from __scrt_common_main_seh into a custom loader. That loader decodes an embedded blob into shellcode, allocates executable heap memory, resolves Windows API functions at runtime, and transfers execution to an in-memory payload. The payload performs anti-analysis checks, gathers host telemetry, encodes the data with a two-stage obfuscation, and attempts HTTPS exfiltration to hard-coded C2 servers or month-based DGA domains. Potential impacts include remote data collection and exfiltration, stealthy in-memory execution and persistence, and potential lateral movement. CCleaner was developed by Piriform, which was acquired by Avast in July 2017; Avast later merged with NortonLifeLock to form the parent company now known as Gen Digital. According to vendor advisories, the compromised CCleaner build was released on August 15, 2017 and remediated on September 12, 2017 with v5.34; the compromised CCleaner Cloud build was released on August 24, 2017 and remediated on September 15, 2017 with v1.07.3214.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-506 - Embedded Malicious Code
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://blog.avast.com/update-to-the-ccleaner-5.3… | vendor-advisory |
| https://blog.avast.com/progress-on-ccleaner-inves… | vendor-advisory |
| https://www.ccleaner.com/ | product |
| https://www.crowdstrike.com/en-us/blog/protecting… | technical-description |
| https://www.ccleaner.com/knowledge/security-notif… | vendor-advisorypatch |
| https://www.morphisec.com/blog/morphisec-discover… | technical-description |
| https://blog.talosintelligence.com/avast-distribu… | technical-description |
| https://www.vulncheck.com/advisories/ccleaner-and… | third-party-advisory |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Piriform | CCleaner |
Affected:
5.33.6162
|
|
| Piriform | CCleaner Cloud |
Affected:
1.07.3191
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2017-20201",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-14T14:06:37.177224Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-14T14:19:01.201Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://www.crowdstrike.com/en-us/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"__scrt_common_main_seh"
],
"platforms": [
"Windows",
"32 bit"
],
"product": "CCleaner",
"vendor": "Piriform",
"versions": [
{
"status": "affected",
"version": "5.33.6162"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"__scrt_common_main_seh"
],
"platforms": [
"Windows",
"32 bit"
],
"product": "CCleaner Cloud",
"vendor": "Piriform",
"versions": [
{
"status": "affected",
"version": "1.07.3191"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piriform:ccleaner:5.33.6162:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Morphisec"
},
{
"lang": "en",
"type": "finder",
"value": "Cisco Talos"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 (32-bit builds) contained a malicious pre-entry-point loader that diverts execution from __scrt_common_main_seh into a custom loader. That loader decodes an embedded blob into shellcode, allocates executable heap memory, resolves Windows API functions at runtime, and transfers execution to an in-memory payload. The payload performs anti-analysis checks, gathers host telemetry, encodes the data with a two-stage obfuscation, and attempts HTTPS exfiltration to hard-coded C2 servers or month-based DGA domains. Potential impacts include remote data collection and exfiltration, stealthy in-memory execution and persistence, and potential lateral movement. CCleaner was developed by Piriform, which was acquired by Avast in July 2017; Avast later merged with NortonLifeLock to form the parent company now known as Gen Digital. According to vendor advisories, the compromised CCleaner build was released on August 15, 2017 and remediated on September 12, 2017 with v5.34; the compromised CCleaner Cloud build was released on August 24, 2017 and remediated on September 15, 2017 with v1.07.3214.\u003cbr\u003e"
}
],
"value": "CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 (32-bit builds) contained a malicious pre-entry-point loader that diverts execution from __scrt_common_main_seh into a custom loader. That loader decodes an embedded blob into shellcode, allocates executable heap memory, resolves Windows API functions at runtime, and transfers execution to an in-memory payload. The payload performs anti-analysis checks, gathers host telemetry, encodes the data with a two-stage obfuscation, and attempts HTTPS exfiltration to hard-coded C2 servers or month-based DGA domains. Potential impacts include remote data collection and exfiltration, stealthy in-memory execution and persistence, and potential lateral movement. CCleaner was developed by Piriform, which was acquired by Avast in July 2017; Avast later merged with NortonLifeLock to form the parent company now known as Gen Digital. According to vendor advisories, the compromised CCleaner build was released on August 15, 2017 and remediated on September 12, 2017 with v5.34; the compromised CCleaner Cloud build was released on August 24, 2017 and remediated on September 15, 2017 with v1.07.3214."
}
],
"impacts": [
{
"capecId": "CAPEC-186",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-186 Malicious Software Update"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-506",
"description": "CWE-506 Embedded Malicious Code",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-21T14:11:55.224Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://blog.avast.com/update-to-the-ccleaner-5.33.6162-security-incident"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://blog.avast.com/progress-on-ccleaner-investigation"
},
{
"tags": [
"product"
],
"url": "https://www.ccleaner.com/"
},
{
"tags": [
"technical-description"
],
"url": "https://www.crowdstrike.com/en-us/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ccleaner.com/knowledge/security-notification-ccleaner-v5336162-ccleaner-cloud-v1073191"
},
{
"tags": [
"technical-description"
],
"url": "https://www.morphisec.com/blog/morphisec-discovers-ccleaner-backdoor/"
},
{
"tags": [
"technical-description"
],
"url": "https://blog.talosintelligence.com/avast-distributes-malware/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/ccleaner-and-ccleaner-cloud-malicious-backdoor-supply-chain-compromise"
}
],
"source": {
"discovery": "UNKNOWN"
},
"tags": [
"x_known-exploited-vulnerability"
],
"title": "CCleaner v5.33.6162 \u0026 CCleaner Cloud v1.07.3191 Malicious Backdoor Supply Chain Compromise",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2017-20201",
"datePublished": "2025-10-08T22:04:08.894Z",
"dateReserved": "2025-10-08T17:15:41.323Z",
"dateUpdated": "2025-11-21T14:11:55.224Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2015-3999 (GCVE-0-2015-3999)
Vulnerability from cvelistv5 – Published: 2015-05-20 18:00 – Updated: 2024-08-06 06:04
VLAI
Summary
Piriform CCleaner 3.26.0.1988 through 5.02.5101 writes the filenames to disk when overwriting files, which allows local users to obtain sensitive information by searching unallocated disk space.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| http://seclists.org/fulldisclosure/2015/May/72 | mailing-listx_refsource_FULLDISC |
| http://www.securityfocus.com/bid/74714 | vdb-entryx_refsource_BID |
Date Public
2015-05-18 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T06:04:02.672Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20150518 KL-001-2015-002 : Piriform CCleaner Wiped Filename Recovery",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2015/May/72"
},
{
"name": "74714",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/74714"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-05-18T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Piriform CCleaner 3.26.0.1988 through 5.02.5101 writes the filenames to disk when overwriting files, which allows local users to obtain sensitive information by searching unallocated disk space."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2015-05-20T18:57:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20150518 KL-001-2015-002 : Piriform CCleaner Wiped Filename Recovery",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2015/May/72"
},
{
"name": "74714",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/74714"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-3999",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Piriform CCleaner 3.26.0.1988 through 5.02.5101 writes the filenames to disk when overwriting files, which allows local users to obtain sensitive information by searching unallocated disk space."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20150518 KL-001-2015-002 : Piriform CCleaner Wiped Filename Recovery",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2015/May/72"
},
{
"name": "74714",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/74714"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-3999",
"datePublished": "2015-05-20T18:00:00.000Z",
"dateReserved": "2015-05-15T00:00:00.000Z",
"dateUpdated": "2024-08-06T06:04:02.672Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}