A third-party AV flaw on VirusTotal triggering RCE exploit gets patched

Third Party Vendor Antivirus Flaw Vulnerability Virus Total RCE Exploit Patched

A security flaw was found within Google’s VirusTotal platform, allowing threat actors to exploit it to accomplish remote code execution or RCE via the unpatched third-party sandboxing machines employing anti-virus applications. The vulnerability was fixed immediately after being discovered.

VirusTotal is a malware-scanning platform under Google’s security subsidiary that investigates suspicious links, domains, and files and checks for viruses via several third-party AV solutions.


According to analysts, the flaw enables chances of executing commands of the hackers remotely through VirusTotal and allows them to gain access to the platform’s wide array of scanning features.


Moreover, the threat actors launch their attack by uploading a DjVu file from VirusTotal’s web user interface. Upon passing through multiple third-party malware scanning solutions, the actors could activate an exploit using ExifTool’s remote code execution flaw in high severity.

With a VCSS score of 7.8, the security flaw was tracked as CVE-2021-22204, a case of arbitrary code execution resulting from the abuse of DjVu files in ExifTool. On an April 13 security update, the flaw was patched to avoid further exploitations.

The flaw’s exploitation has triggered a reverse shell to the affected devices linked to unpatched anti-virus engines against RCE vulnerability.

From the statement of VirusTotal’s founder, they noted that the platform was not directly affected by the security flaw and confirmed that it has properly functioned as intended. They also added that the remote code executions are from the third-party AV solutions within VirusTotal that analyse and launch the samples.

The vulnerability was quickly reported through the Vulnerability Reward Programs (VRP) of Google, hence immediately patched by the authorised security analysts.

Experts reveal that the ExifTool flaw was previously abused as a channel to establish remote code execution. GitLab had fixed a security flaw last year tracked CVE-2021-22205 with a CVSS score of 10.0, associated with improper validation of images supplied by users that led to arbitrary code execution.

About the author

Leave a Reply