Description
PSEvents.exe in multiple Panda Security products runs hourly with SYSTEM privileges and loads DLL files from a user-writable directory without proper validation. An attacker with low-privileged access who can write DLL files to the monitored directory can achieve arbitrary code execution with SYSTEM privileges. Affected products include Panda Global Protection 2016, Panda Antivirus Pro 2016, Panda Small Business Protection, and Panda Internet Security 2016 (all versions up to 16.1.2).
Published: 2025-07-15
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

PSEvents.exe, a background module in several Panda Security products, executes with SYSTEM privileges and automatically loads DLL files from a directory that is writable by non‑administrator users. The component fails to validate or restrict the path of DLLs it loads, which allows a local attacker to drop a malicious DLL into that directory. When PSEvents.exe loads the file, the attacker’s code runs with the full SYSTEM account, giving the attacker complete control over the affected machine. This flaw is a classic example of insecure DLL loading, mapping to CWE‑427, and results in total local privilege escalation.

Affected Systems

The vulnerability affects Panda Security’s Panda Antivirus Pro 2016, Panda Global Protection 2016, Panda Internet Security 2016, and Panda Small Business Protection, all versions up to 16.1.2. These products are widely deployed in both enterprise and small‑business environments and rely on the PSEvents.exe service for regular operations.

Risk and Exploitability

The CVSS score of 8.5 indicates a high severity issue, while the EPSS score of <1% suggests a low probability of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. The flaw requires only local write access to the monitored DLL directory, meaning any user with local access—encompassing typical non‑administrator accounts—can perform the attack. Based on the description, the likely attack vector is a local file‑write that leads to DLL hijacking and execution as SYSTEM.

Generated by OpenCVE AI on June 18, 2026 at 11:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Panda Security to version 16.1.2 or later to apply the vendor’s DLL loading fix
  • Revoke write permissions on the PSEvents.exe monitored DLL directory for all non‑administrator accounts and restrict access to SYSTEM only
  • If an update is not immediately possible, relocate the monitored directory to a non‑writable location, adjust PSEvents.exe configuration to disallow user‑controlled DLL loading, or temporarily disable DLL loading from the directory

Generated by OpenCVE AI on June 18, 2026 at 11:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21431 PSEvents.exe in multiple Panda Security products runs hourly with SYSTEM privileges and loads DLL files from a user-writable directory without proper validation. An attacker with low-privileged access who can write DLL files to the monitored directory can achieve arbitrary code execution with SYSTEM privileges. Affected products include Panda Global Protection 2016, Panda Antivirus Pro 2016, Panda Small Business Protection, and Panda Internet Security 2016 (all versions up to 16.1.2).
History

Fri, 21 Nov 2025 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Pandasecurity
Pandasecurity panda Antivirus Pro
Pandasecurity panda Global Protection 2016
Pandasecurity panda Internet Security 2014
CPEs cpe:2.3:a:pandasecurity:panda_antivirus_pro:*:*:*:*:*:*:*:*
cpe:2.3:a:pandasecurity:panda_global_protection_2016:*:*:*:*:*:*:*:*
cpe:2.3:a:pandasecurity:panda_internet_security_2014:*:*:*:*:*:*:*:*
Vendors & Products Pandasecurity
Pandasecurity panda Antivirus Pro
Pandasecurity panda Global Protection 2016
Pandasecurity panda Internet Security 2014

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00014}


Tue, 15 Jul 2025 14:30:00 +0000


Tue, 15 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 15 Jul 2025 14:00:00 +0000


Tue, 15 Jul 2025 13:15:00 +0000

Type Values Removed Values Added
Description PSEvents.exe in multiple Panda Security products runs hourly with SYSTEM privileges and loads DLL files from a user-writable directory without proper validation. An attacker with low-privileged access who can write DLL files to the monitored directory can achieve arbitrary code execution with SYSTEM privileges. Affected products include Panda Global Protection 2016, Panda Antivirus Pro 2016, Panda Small Business Protection, and Panda Internet Security 2016 (all versions up to 16.1.2).
Title Panda Security PSEvents.exe Insecure DLL Loading Privilege Escalation
Weaknesses CWE-427
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

Pandasecurity Panda Antivirus Pro Panda Global Protection 2016 Panda Internet Security 2014
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-15T11:14:42.519Z

Reserved: 2025-04-15T19:15:22.560Z

Link: CVE-2025-34109

cve-icon Vulnrichment

Updated: 2025-07-15T13:37:10.250Z

cve-icon NVD

Status : Deferred

Published: 2025-07-15T13:15:30.683

Modified: 2026-06-17T09:13:28.947

Link: CVE-2025-34109

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T11:45:15Z

Weaknesses
  • CWE-427

    Uncontrolled Search Path Element