Critical Local Privilege Escalation in Malwarebytes Anti‑Malware (ZDI‑26‑267) Threatens Endpoint Security Clients
What Happened — A newly disclosed vulnerability (ZDI‑26‑267 / ZDI‑CAN‑22936) in Malwarebytes Anti‑Malware allows a local attacker to exploit an uncontrolled search‑path element in the Malwarebytes service. By loading a malicious file from an unsecured location, the attacker can execute arbitrary code with SYSTEM privileges. The flaw is patched in version 1.0.6.31.
Why It Matters for TPRM —
- Privilege‑escalation bugs can be weaponised by threat actors to compromise any organization that relies on the affected endpoint‑security product.
- Unpatched installations expose the entire endpoint fleet to lateral movement and data‑exfiltration risk.
- Third‑party risk assessments must account for the vendor’s patch‑management cadence and the presence of vulnerable agents in the supply chain.
Who Is Affected — Enterprises, managed service providers, and any organization that deploys Malwarebytes Anti‑Malware on Windows endpoints.
Recommended Actions —
- Verify that all Malwarebytes agents are running version 1.0.6.31 or later; apply the update immediately where needed.
- Review endpoint hardening controls (e.g., application whitelisting, restricted write permissions on system directories).
- Monitor for anomalous SYSTEM‑level processes or unexpected file loads from non‑system paths.
Technical Notes — The vulnerability stems from an uncontrolled search‑path element in the Malwarebytes service, enabling a local privilege escalation (CVSS 7.8, AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). No direct data exfiltration is described, but the ability to run code as SYSTEM can be leveraged for broader attacks. Source: Zero Day Initiative advisory