Key Information Vulnerability Name: CCleaner v5.33.6162 & CCleaner Cloud v1.07.3191 Malicious Backdoor Supply Chain Compromise Severity: CRITICAL Date: October 8, 2025 Affected Versions: - CCleaner 5.33.6162 - CCleaner Cloud 1.07.3191 CVE ID: CVE-2017-20201 CWE ID: CWE-506 Embedded Malicious Code CVSS Score: 9.3 CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N References: - Piriform CCleaner Advisory - Avast Initial Announcement - Avast Updated Announcement - Morphisec Technical Analysis - Cisco Talos Technical Analysis Contributors: Morphisec, Cisco Talos Description: - CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 (32-bit builds) contain a malicious pre-entry point loader that redirects execution from to a custom loader. This loader decodes an embedded blob into shellcode at runtime, allocates executable heap memory, resolves Windows API functions, and transfers execution to the payload stored in memory. The payload performs anti-analysis checks, collects host telemetry data, encodes the data using a two-stage obfuscation technique, and attempts to exfiltrate it via HTTPS to a hardcoded C2 server or a domain generated via a month-based DGA. Potential impacts include remote data collection and exfiltration, stealthy memory execution and persistence, and potential lateral movement. - CCleaner was developed by Piriform, which was acquired by Avast in July 2017; Avast later merged with NortonLifeLock to form Gen Digital. According to vendor advisories, the compromised CCleaner builds were released on August 15, 2017, and fixed on September 12, 2017, via version 5.34; the compromised CCleaner Cloud builds were released on August 24, 2017, and fixed on September 15, 2017, via version 1.07.3214.