Qualys · Qualys Cloud Agent · CVE-2025-43079
**Name of the Vulnerable Software and Affected Versions**
Qualys Cloud Agent (affected versions not specified)
**Description**
The Qualys Cloud Agent includes an uninstall script (`qagent uninstall.sh`) for MacOS and Linux that invokes system commands without specifying absolute paths or sanitizing the `$PATH` environment. If executed with elevated privileges (e.g., using `sudo`) in a compromised environment where the `$PATH` variable has been manipulated, an attacker with root or sudo privileges could potentially execute malicious executables instead of intended system binaries. This could lead to local privilege escalation and arbitrary command execution with elevated privileges.
**Recommendations**
At the moment, there is no information about a newer version that contains a fix for this vulnerability.