Vulnerability Summary:

Qualys Agent for MAC utilizes qagent_uninstall.sh script bundled with the Agent for macOS which executes multiple system commands utilities without using absolute paths and without resetting PATH to a safe value which leads to a local privilege escalation.

Vulnerability Exploitation Impact:

Will allow a privilege escalation leading to root access on system.

1. User should have local access to the system with permission to run SUDO command
2. User should be able to modify the PATH environment
3. User should mandatorily utilize same Console Session in which user sets a PATH Variable pointing to location where exploit code will be stored.
4. User should be able to run the uninstall operation for Cloud Agent with higher privileges (Sudo /Applications/QualysCloudAgent.app/Contents/MacOS/qagent_uninstall.sh)

Researcher CVSS v3.1 Base Score: 7.8 (High) AV:L / AC:L / PR:L / UI:R / S:U / C:H / I:H / A:H

Qualys CVSS v.3.1: Base Score: 6.3 (Medium) AV:L / AC:H / PR:H / UI:R / S:U / C:H / I:H / A:H

Affected Versions : Current Latest up to 5.1.x, versions prior to and including 5.0 have been marked EOS (https://notifications.qualys.com/notifications/2025/07/02/end-of-support-qualys-cloud-agent-versions-for-2026)

Guard Rails / Mitigations

1. Not exploitable from CAUI: If the Agent is uninstalled from the Qualys Cloud Agent UI (CAUI), the agent sanitizes $PATH during agent startup. In this flow, the uninstall script runs as a child process of the agent, mitigating the risk.
2. Sudo restrictions: Exploitation requires the attacker to already have sudo access. However, in many enterprise environments, users with sudo are restricted, which will limit the impact. In fact, if sudo or root access is available for attacker, then he/she can make/break anything in the system, not just environment PATH change alone.
• If the user doesn't have sudo permission, there is no chance of tampering the PATH environment variable.
3. Terminal Restrictions: This will be changed only in the specific terminal alone. Once the new terminal is open, the PATH changes would not hold good as well.

FAQs:

Can vulnerability be exploited remotely or is this remotely exploitable?

No, the vulnerability requires local access with higher privileges to be exploitable (sudo or root)

As a customer, what actions do I need to take to patch vulnerability?

• The agent will auto-update to latest version without any requirement for interaction, in case auto-updates are enabled.
• In case auto updates are disabled, install latest version XXX of the agent.

Is the patch available for EOL/EOS agents?

• No, the patch will not be available to EOL/EOS agents, and it's recommended that users move to latest version.
• EOL / EOS Details: https://notifications.qualys.com/notifications/2025/07/02/end-of-support-qualys-cloud-agent-versions-for-2026

Is vulnerability exploited in wild?

No, the vulnerability has not been exploited.

How do I know whether my system was exploited

There are various guardrails that prevent the exploitation of this vulnerability, additionally the vulnerability is only exploitable during uninstallation of agent via local access.