IObit Malware Fighter 4.3.1 exposes an unquoted service path vulnerability in the IMFservice and LiveUpdateSvc services. The flaw, categorized as CWE‑428, allows a local attacker to supply a path that is interpreted by the operating system, enabling the attacker to drop a malicious executable before the intended service binary. When the service restarts or the system reboots, that executable runs with LocalSystem privileges, allowing the attacker to gain full control of the machine.

The vulnerability affects the IObit Malware Fighter product family, particularly version 4.3.1 and other 4.x releases that use the same IMFservice and LiveUpdateSvc binaries. Venders are IObit, and any installation of the application on a Windows workstation is potentially impacted when the services are configured with unquoted paths.

The CVSS base score of 8.5 indicates high severity. Because the exploit requires only local user access and no network interaction, it is feasible in environments where end users have interactive access to the machine. The EPSS score is not available, but the lack of external exposure does not diminish the risk for typical desktop deployments. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, yet its impact remains significant for users who have not upgraded to a version that properly quotes service paths.