cbcvebase.
CVE-2025-34109
published 2025-07-15

CVE-2025-34109: PSEvents.exe in multiple Panda Security products runs hourly with SYSTEM privileges and loads DLL files from a user-writable directory without proper…

PriorityP351high8.5CVSS 4.0
AVLACLATNPRLUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
0.28%
20.1th percentile
PSEvents.exe in multiple Panda Security products runs hourly with SYSTEM privileges and loads DLL files from a user-writable directory without proper validation. An attacker with low-privileged access who can write DLL files to the monitored directory can achieve arbitrary code execution with SYSTEM privileges. Affected products include Panda Global Protection 2016, Panda Antivirus Pro 2016, Panda Small Business Protection, and Panda Internet Security 2016 (all versions up to 16.1.2).

Affected

4 ranges
VendorProductVersion rangeFixed in
panda_securitypanda_antivirus_pro_2016<= 16.1.2
panda_securitypanda_global_protection_2016<= 16.1.2
panda_securitypanda_internet_security_2016<= 16.1.2
panda_securitypanda_small_business_protection<= 16.1.2

Detection & IOCsextracted from sources · hover to see the quote

processPSEvents.exe
  • Monitor for DLL files written to the Panda Security user-writable directory by low-privileged users, especially preceding execution by PSEvents.exe with SYSTEM privileges.
  • Alert on PSEvents.exe spawning child processes or loading DLLs not signed by Panda Security, particularly when the parent process runs as SYSTEM.
  • Look for use of the Metasploit module windows/local/panda_psevents for exploitation attempts in endpoint telemetry.
  • Detect privilege escalation pattern: low-privileged user writing a DLL to the monitored directory, followed within ~1 hour by SYSTEM-level DLL load from the same path via PSEvents.exe.
  • ·Exploitation is time-gated: PSEvents.exe only runs hourly, so DLL hijack payloads will not execute immediately upon being dropped — detection windows and response timelines should account for up to a 60-minute delay.
  • ·All versions up to and including 16.1.2 of the affected products are vulnerable; detections should focus on hosts running these specific product versions.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.