CVE-2025-69875 Impact Arbitrary file write to high-integrity directories Local privilege escalation Potential for service hijacking, DLL hijacking, or execution of attacker-controlled binaries with elevated privileges No elevated privileges or special system conditions are required; exploitation is fully local. Affected Product Product: Quick Heal Total Security Vendor: Quick Heal Technologies Ltd. Affected Versions: 23.x Technical Details The vulnerability resides in the antivirus quarantine management component. After a quarantined item is mounted through , the user may trigger the restore operation. The restore mechanism is performed by a high-privileged Quick Heal service, but it fails to enforce strict path validation and does not verify whether the user is permitted to write to the target directory. This allows a standard user to force the service to write files into privileged areas such as , inheriting service-level permissions. Root Causes (Mapped to MITRE CWE) CWE-281 - Improper Preservation of Permissions CWE-269 - Improper Privilege Management CWE-552 - Filesystem Access Control Exploitation Notes Exploit code is intentionally omitted. Reproduction requires: 1. A quarantined file 2. Mounting via 3. Selecting or redirecting the restore path to a protected directory The restore service writes the file without validating the destination. Mitigation Disable or restrict quarantine mount and restore capabilities for non-administrator users Monitor protected directories for unexpected writes performed by Quick Heal services Apply policy rules to prevent unauthorized restoration to system paths POC https://github.com/mertdas/QuickHealTotalSecurityPOC/blob/main/poc.mp4