CVE-2025-43079

Name of the Vulnerable Software and Affected Versions Qualys Cloud Agent (affected versions not specified)

Description The Qualys Cloud Agent includes an uninstall script (qagent uninstall.sh) for MacOS and Linux that invokes system commands without specifying absolute paths or sanitizing the $PATH environment. If executed with elevated privileges (e.g., using sudo) in a compromised environment where the $PATH variable has been manipulated, an attacker with root or sudo privileges could potentially execute malicious executables instead of intended system binaries. This could lead to local privilege escalation and arbitrary command execution with elevated privileges.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.