Security readout for executives and security teams
Plain-English summary
Attackers slipped a hidden backdoor into officially signed CCleaner installers distributed by Piriform between August and September 2017. Anyone who downloaded those specific 32-bit builds during that window received malware that quietly collected system information and reached out to attacker-controlled servers. Because the trojanized files came through legitimate update channels, normal trust signals offered no protection.
Executive priority
Treat as a closed historical incident with residual hunt obligation. If your organization ran 32-bit CCleaner in late 2017, fund a retrospective compromise assessment and credential rotation. Going forward, prioritize vendor supply chain assurance over reacting to this specific CVE.
Technical view
The 32-bit CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 binaries contained a pre-main loader hijacking __scrt_common_main_seh. It decoded an embedded blob, allocated executable heap memory, dynamically resolved Windows APIs, and ran a reflective payload entirely in memory. The payload performed anti-analysis checks, harvested host telemetry, applied two-stage obfuscation, and exfiltrated data over HTTPS to hard-coded C2 servers and month-based DGA fallback domains.
Likely exposure
Exposure was limited to Windows hosts that installed the specific 32-bit builds (CCleaner 5.33.6162 from 15 Aug 2017 or CCleaner Cloud 1.07.3191 from 24 Aug 2017) before the September 2017 fixes. Avast reported roughly 2.27 million machines received the trojanized build, with a smaller second-stage targeting major technology firms.
Exploitation context
Confirmed real-world supply chain compromise, not just theoretical. Avast, Cisco Talos, Morphisec, and CrowdStrike documented active deployment of the backdoor and second-stage targeting of selected technology vendors. Not currently listed in CISA KEV, but vendor and third-party telemetry confirm in-the-wild execution during the August–September 2017 window. Exploitation required only normal installation of the signed installer.
Researcher notes
CWE-506 (Embedded Malicious Code) fits cleanly. The loader pattern—hijacking CRT startup, in-memory decode, dynamic API resolution, two-stage obfuscated HTTPS exfil with DGA fallback—is well-documented across Talos, Morphisec, Avast, and CrowdStrike. Only 32-bit builds were affected; 64-bit users were unaffected per vendor advisories. Worth modeling as a baseline supply chain compromise case study for detection engineering and IR tabletop exercises.
Mitigation direction
- Upgrade affected hosts to CCleaner 5.34+ or CCleaner Cloud 1.07.3214+ per Piriform/Avast advisories.
- Hunt historical endpoints for the trojanized 32-bit binaries and known C2/DGA indicators from Talos and Avast.
- Rebuild any host where second-stage payload activity is suspected rather than relying on cleanup.
- Rotate credentials, tokens, and keys used on potentially compromised systems during August–September 2017.
- Review software supply chain controls: code-signing trust, build pipeline integrity, and vendor update validation.
Validation and detection
- Inventory installed CCleaner versions and flag exact builds 5.33.6162 (32-bit) and Cloud 1.07.3191.
- Search EDR/SIEM history for outbound connections to documented C2 hosts and monthly DGA domains.
- Check registry and forensic artifacts described in Talos and Avast write-ups for second-stage indicators.
- Confirm patched build is running and that auto-update channel is healthy on managed endpoints.
- Cross-reference any matched hosts against Avast's published list of targeted second-stage organizations.
Public sources used
- CVE Program — CVE-2017-20201
- Avast: Update to CCleaner 5.33.6162 Security Incident
- Avast: Progress on CCleaner Investigation
- Piriform/CCleaner Security Notification
- Cisco Talos: CCleanup — A Vast Number of Machines at Risk
- Morphisec: Discovery of the CCleaner Backdoor
- CrowdStrike: Protecting the Software Supply Chain — CCleaner Backdoor
- VulnCheck Advisory — CCleaner Supply Chain Compromise
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-506: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupCVE-2017-20201 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Critical
- CVSS
- 9.3 (4.0)
- Known Exploited
- No
- Published
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS vector scores
1 official scoreWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N——Primary CVE scoreVulnerability scoring details
Base CVSS 4.0 score
9.3CriticalVector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
Source materials
- CVE List V5 sourceCVE List V5
- https://blog.avast.com/update-to-the-ccleaner-5.33.6162-security-incidentCVE reference · vendor-advisory
- https://blog.avast.com/progress-on-ccleaner-investigationCVE reference · vendor-advisory
- https://www.ccleaner.com/CVE reference · product
- https://www.crowdstrike.com/en-us/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/CVE reference · technical-description
- https://www.ccleaner.com/knowledge/security-notification-ccleaner-v5336162-ccleaner-cloud-v1073191CVE reference · vendor-advisory, patch
- https://www.morphisec.com/blog/morphisec-discovers-ccleaner-backdoor/CVE reference · technical-description
- https://blog.talosintelligence.com/avast-distributes-malware/CVE reference · technical-description
- https://www.vulncheck.com/advisories/ccleaner-and-ccleaner-cloud-malicious-backdoor-supply-chain-compromiseCVE reference · third-party-advisory
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
Embedded Malicious Code
Embedded Malicious Code represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
