No matter how thick, no matter how tall, even the strongest of walls can fall. This month, a lot of folks felt a stone slip loose, as a recently-discovered security vulnerability in antivirus software from ESET was publicly announced, sending seismic shocks through the cybersecurity world. The flaw, actively exploited by a sophisticated hacker group, has potentially placed more than 340,000 businesses at risk… once again proving that even the tools we rely on for digital protection can themselves become targets, access points, or even weapons in the wrong hands.

This breach not only exposed the fragility of many modern security systems, but it also paints a pretty clear picture of just how important proactive defense is. It’s a timely and chilling reminder — even with all the powerful digital security protections you have in place for your company, who’s watching that watchtower? And what can you do when your company (or someone else) finds a crack between the stones?

The Incident: A Trusted Security Tool Becomes the Attack Vector

In early 2025, it was discovered that ESET’s robust and popular set of cybersecurity tools had been quietly but maliciously turned against their users. ESET is one of the most widely-used antivirus and cybersecurity providers, offering software solutions for both individuals and businesses. But cybersecurity researchers uncovered that one of its components had a serious flaw.

This one stings more than most, because we’re conditioned to trust antivirus software. It’s one of our routine first lines of defense… and when the defense has become offensive, it can be hard to know what to do.

This particular vulnerability, officially catalogued as CVE-2024-11859, was exploited by an advanced persistent threat (APT) group known as ToddyCat. This group is known for its stealthy cyberespionage campaigns (often targeting governments, defense contractors, and major corporations) across Europe and Asia.

By leveraging this flaw in ESET’s products, ToddyCat was able to install malware onto protected systems… stealthily and effectively letting themselves into and through those defensive walls. In doing so, they managed to turn a security solution into a buried backdoor for cyberattacks, not only empowering them to do significant damage but also making it very, very hard to catch them in the act.

How Did the Attack Work?

Without getting too deep into the weeds, the core of the issue is that ToddyCat figured out ESET’s software could be manipulated to load certain files in an insecure way. This vulnerability allowed attackers with access to the system (like through a phishing email or another exploit) to trick the antivirus itself into running malicious code.

Once this malicious code was activated, it allowed the attackers to silently infiltrate the system. The malware used, known as TCESB, was specifically designed to remain hidden. It disables monitoring tools, avoids antivirus detection, and can manipulate core functions of the Windows operating system to stay under the radar.

In simpler terms: hackers found a way to sneak malware onto users’ systems using your own antivirus software. Once inside, they had the tools to burrow in deep, stay hidden, and collect sensitive information over time.

Who Is at Risk?

The vulnerability affected a wide array of ESET products (both for consumers and enterprise users). The following products were confirmed to be vulnerable before patches were released:

• ESET NOD32 Antivirus
• ESET Internet Security
• ESET Smart Security Premium
• ESET Endpoint Antivirus for Windows
• ESET Endpoint Security for Windows
• ESET Server Security for Microsoft Windows Server
• ESET File Security for Microsoft Windows Server
• ESET Server Security for Microsoft Azure
• ESET Security for Microsoft SharePoint Server
• ESET Mail Security for IBM Domino
• ESET Mail Security for Microsoft Exchange Server

Given the popularity of these products in both private and public sectors, it’s estimated that as many as 342,176 users may have been affected or were at risk during the exposure window.

It’s worth noting that there’s no evidence the attackers targeted every single ESET user… but the scale of vulnerability means many were left open to potential attack. Considering the stealthy nature of this intrusion, it’s not unreasonable for any given user to assume they were (/could still be) impacted, and to take action accordingly to root it out.

ESET’s Response: Patches and Mitigations

ESET acted quickly once the issue was reported. They have since released security patches for all affected software versions, and issued a public advisory in early April 2025.

As a temporary workaround, ESET suggested disabling a feature called AMSI (Antimalware Scan Interface) scanning (which relates to the part of the software impacted by the vulnerability). However, ESET stressed that this should be a short-term solution and strongly urged users to install the updated, patched versions of their software to shore up the breach and prevent future incursions.

In particular, businesses using ESET in managed IT environments should prioritize applying the update across all endpoints as part of their cybersecurity hygiene practices.

What Could This Mean for You?

For most users, the idea that antivirus software — something they paid for to protect themselves and something they trust to do what it’s designed to do — could be used against them is both alarming and confusing… and rightly so!

In the simplest terms, this kind of attack could result in a range of consequences, including:

• Stolen personal data (documents, passwords, financial information)
• Corporate espionage, particularly for businesses handling sensitive data
• Persistent backdoors, allowing hackers to return even after detection
• Use of compromised devices in broader attacks, such as launching phishing campaigns from your email or using your network to infect others

Whether you’re an individual, a small business, or an enterprise, the risk here goes beyond one device… it can jeopardize entire networks and reputations (while continuing to allow bad actors to springboard from target to target and keep sowing backdoors and weaknesses into the infrastructure).

What Should You Do Now?

If you use any ESET product — or if you’re not sure — it’s critical to take action immediately to protect yourself, your system, and your business as a whole. Here’s what to do:

1. Update Your Software

If you do nothing else to respond to this potential incursion, at least do this: open your ESET product and ensure it’s updated to the latest version. Updates often include critical security patches, and in this case, the fix for CVE-2024-11859 is already available.

If your system is managed by an IT provider, contact them to confirm updates have been applied across all devices.

2. Run a Full Security Scan

Once updated, perform a full system scan. Although the attack was stealthy, a deep scan with the latest definitions may detect traces of past infection or other malicious files.

Consider scanning with a second tool like Microsoft Defender Offline or Malwarebytes for added peace of mind.

3. Check System Behavior

Look for signs of compromise, such as slower performance, unknown apps running, or unexpected network traffic. Any of these might indicate something malicious has been running in the background.

4. Monitor Accounts and Change Passwords

As a precaution, monitor your online accounts for unusual activity and change passwords (particularly for banking, email, and business accounts).

Additionally, you should enable two-factor authentication wherever available to protect your accounts from unauthorized access.

5. Stay Informed and Vigilant

Cyber threats are evolving. Stay updated on advisories from your antivirus provider and consider subscribing to security news alerts from trusted sources like CERT, CISA, or your local cybersecurity center.

Trust but Verify!

As jarring and upsetting as it is, the ESET vulnerability exploited by ToddyCat serves as a timely wake-up call: in an age of sophisticated cyberattacks, even security software can become a target. But while the situation is serious, it’s also manageable — as long as users act quickly and responsibly.

If you’re an ESET user, don’t panic… but do act. Ensuring your software is updated, scanning your systems, and following cybersecurity best practices will go a long way in protecting your data and devices from exploitation.

Remember, strong cybersecurity isn’t just about having the right tools… it’s about using them wisely, and keeping them updated. Don’t just man your watchtowers; monitor them, be vigilant for cracks, and keep them standing strong against all possible digital intruders.

Looking for more allies on your cybersecurity ramparts? Reach out to us today; we’re here and ready to help reinforce your digital moat.