// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE INT-11DTG 0600Z
Endpoint Security Vendor

ESET

11 PUBLIC SECURITY EVENTS ON FILE · 2023-06-01 — 2026-02-06

Publicly-known security events concerning ESET — CVEs, advisories, and incidents drawn from open-source reporting. Every item links to its original source.

Category

What ESET sells

EDR is agent-based endpoint tooling that monitors process/file/network activity, detects malicious behavior, and enables response. It is detection-led by design: it observes and acts after code executes. Its efficacy depends on recognizing a threat, so novel/zero-day techniques are a window of exposure until detected.

SOURCE · ColdRecon Reference

ESET competes in the endpoint-security category. ColdRecon publishes only the factual public record below — no competitive analysis or positioning.

The Public Record

Recent security events

On file: 7 vuln disclosures · 4 research pocs.

2026-02-06
vuln disclosure
CVE-2025-13818: ESET Management Agent Local Privilege Escalation via TOCTOU Race ConditionCVE-2025-13818
CVE-2025-13818 is a local privilege escalation vulnerability in ESET Management Agent for Windows caused by a Time-of-Check Time-of-Use (TOCTOU) race condition in temporary batch file handling. A local attacker with high privileges can replace a validated batch file before execution, leading to arbitrary command execution with elevated privileges. ESET has released a patch to address the issue.
2026-01-30
vuln disclosure
Local Privilege Escalation in ESET Inspect Connector via OpenSSL DLL HijackingCVE-2025-13176
A local privilege escalation vulnerability (CVE-2025-13176) was disclosed in ESET Inspect Connector for Windows. The flaw allows a low-privileged user to load a malicious DLL into the SYSTEM-level EDR agent process by exploiting a hardcoded OpenSSL configuration path. This can lead to full system compromise and potential bypass of EDR protections.
2025-04-07
vuln disclosure
ToddyCat APT Exploits ESET Command-Line Scanner Vulnerability to Bypass Windows SecurityCVE-2024-11859
The ToddyCat APT group exploited CVE-2024-11859, a DLL sideloading vulnerability in ESET's command-line scanner (ecls.exe), to execute malicious payloads under the guise of a trusted security process. The attack used a custom malware toolkit called TCESB, which leverages BYOVD and kernel tampering to disable security monitoring. ESET patched the vulnerability on January 21, 2025.
2024-09-27
vuln disclosure
ESET Windows Product File Deletion Vulnerability via Improper Privilege ManagementCVE-2024-7400
CVE-2024-7400 is a high-severity vulnerability in ESET's Windows security products that allows a local low-privileged attacker to delete arbitrary files without proper permissions during the removal of a detected file. This could lead to data loss or system instability. No public exploit or in-the-wild exploitation has been observed.
2024-07-31
vuln disclosure
ESET Smart Security Premium Privilege Escalation via NTFS Alternate Data Stream JunctionCVE-2024-0353
A local privilege escalation vulnerability (CVE-2024-0353) in ESET Smart Security Premium allows a standard user to delete arbitrary files as SYSTEM by exploiting a time-of-check-to-time-of-use (TOCTOU) race condition in the real-time protection feature. The attack leverages NTFS alternate data streams to keep a directory empty during file scanning, then creates a junction to redirect a delete operation to a protected directory like C:\Config.msi. This technique, introduced by researcher Abdelhamid Naceri, bypasses assumptions about directory emptiness and can potentially affect other security products.
2024-05-26
research poc
BOAZ Multilayered AV/EDR Evasion Framework ReleasedBOAZ
BOAZ is a modular evasion framework that combines signature, heuristic, and behavioral bypass techniques to generate undetectable payloads. It was tested against 14 desktop AVs and 7 EDRs, including Sophos, Windows Defender, and ESET. The tool serves as both an evasion testing utility and a packer/obfuscator for researchers.
2024-01-31
vuln disclosure
Unquoted Service Path Privilege Escalation in ESET Products for WindowsCVE-2023-7043
CVE-2023-7043 is a low-severity unquoted service path vulnerability in multiple ESET products for Windows. An attacker with local access and low privileges can place a malicious executable in a specific path, which then runs with NetworkService privileges on boot. This could allow limited privilege escalation and integrity impact.
2023-12-21
vuln disclosure
CVE-2023-5594: ESET Endpoint Antivirus Certificate Validation BypassCVE-2023-5594
CVE-2023-5594 is an improper certificate validation vulnerability in ESET security products' secure traffic scanning feature. The flaw allows acceptance of intermediate certificates signed with weak MD5 or SHA1 algorithms, enabling man-in-the-middle attacks. This undermines TLS/SSL inspection, potentially exposing encrypted traffic to interception.
2023-08-25
research poc
Researchers Bypass ESET NOD32 Detection of Metasploit Meterpreter PayloadNOD32 Meterpreter Bypass (2018)
During a penetration test, researchers bypassed ESET NOD32 antivirus by modifying the Meterpreter DLL source and recompiling, and by embedding encoded shellcode in a custom executable with a filename check to evade signature detection. The technique demonstrates a practical AV evasion method using open-source tool customization.
2023-06-01
research poc
New malware tool claims to terminate multiple EDR and antivirus agentsEDR-Terminator
A video and Reddit post surfaced on May 28, 2023, showing an executable that allegedly disables tamper protection and terminates the on-premise agents of numerous endpoint security products. The tool claims to work against vendors including CrowdStrike, SentinelOne, Carbon Black, and Windows Defender. ThreatLocker notes that its application allowlisting would block such an unknown executable from running.
Every event on this page is a record in ColdRecon's canonical set, drawn from public reporting and linked to its source above. ColdRecon monitors open-source signal only; it publishes no non-public or customer information.

ESET ships. Your prospect reads the headline. Do you?

ColdRecon turns this signal into one short daily brief, written from the seller's seat — what changed, why it matters to your deals, how to position. Request clearance and the first lands tomorrow at 0600.

Request Clearance →