LiveActive security incident?Get immediate response
CVE Record

CVE-2017-20201: CCleaner v5.33.6162 & CCleaner Cloud v1.07.3191 Malicious Backdoor Supply Chain Compromise

CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 (32-bit builds) contained a malicious pre-entry-point loader that diverts execution from __scrt_common_main_seh into a custom loader. That loader decodes an embedded blob into shellcode, allocates executable heap memory, resolves Windows API functions at runtime, and transfers execution to an in-memory payload. The payload performs anti-analysis checks, gathers host telemetry, encodes the data with a two-stage obfuscation, and attempts HTTPS exfiltration to hard-coded C2 servers or month-based DGA domains. Potential impacts include remote data collection and exfiltration, stealthy in-memory execution and persistence, and potential lateral movement. CCleaner was developed by Piriform, which was acquired by Avast in July 2017; Avast later merged with NortonLifeLock to form the parent company now known as Gen Digital. According to vendor advisories, the compromised CCleaner build was released on August 15, 2017 and remediated on September 12, 2017 with v5.34; the compromised CCleaner Cloud build was released on August 24, 2017 and remediated on September 15, 2017 with v1.07.3214.

CriticalCVSS 9.3Not KEV-listedUpdated
Glexia's TakeAutomated analysiscritical

Security readout for executives and security teams

Plain-English summary

Attackers slipped a hidden backdoor into officially signed CCleaner installers distributed by Piriform between August and September 2017. Anyone who downloaded those specific 32-bit builds during that window received malware that quietly collected system information and reached out to attacker-controlled servers. Because the trojanized files came through legitimate update channels, normal trust signals offered no protection.

Executive priority

Treat as a closed historical incident with residual hunt obligation. If your organization ran 32-bit CCleaner in late 2017, fund a retrospective compromise assessment and credential rotation. Going forward, prioritize vendor supply chain assurance over reacting to this specific CVE.

Technical view

The 32-bit CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 binaries contained a pre-main loader hijacking __scrt_common_main_seh. It decoded an embedded blob, allocated executable heap memory, dynamically resolved Windows APIs, and ran a reflective payload entirely in memory. The payload performed anti-analysis checks, harvested host telemetry, applied two-stage obfuscation, and exfiltrated data over HTTPS to hard-coded C2 servers and month-based DGA fallback domains.

Likely exposure

Exposure was limited to Windows hosts that installed the specific 32-bit builds (CCleaner 5.33.6162 from 15 Aug 2017 or CCleaner Cloud 1.07.3191 from 24 Aug 2017) before the September 2017 fixes. Avast reported roughly 2.27 million machines received the trojanized build, with a smaller second-stage targeting major technology firms.

Exploitation context

Confirmed real-world supply chain compromise, not just theoretical. Avast, Cisco Talos, Morphisec, and CrowdStrike documented active deployment of the backdoor and second-stage targeting of selected technology vendors. Not currently listed in CISA KEV, but vendor and third-party telemetry confirm in-the-wild execution during the August–September 2017 window. Exploitation required only normal installation of the signed installer.

Researcher notes

CWE-506 (Embedded Malicious Code) fits cleanly. The loader pattern—hijacking CRT startup, in-memory decode, dynamic API resolution, two-stage obfuscated HTTPS exfil with DGA fallback—is well-documented across Talos, Morphisec, Avast, and CrowdStrike. Only 32-bit builds were affected; 64-bit users were unaffected per vendor advisories. Worth modeling as a baseline supply chain compromise case study for detection engineering and IR tabletop exercises.

Mitigation direction

  • Upgrade affected hosts to CCleaner 5.34+ or CCleaner Cloud 1.07.3214+ per Piriform/Avast advisories.
  • Hunt historical endpoints for the trojanized 32-bit binaries and known C2/DGA indicators from Talos and Avast.
  • Rebuild any host where second-stage payload activity is suspected rather than relying on cleanup.
  • Rotate credentials, tokens, and keys used on potentially compromised systems during August–September 2017.
  • Review software supply chain controls: code-signing trust, build pipeline integrity, and vendor update validation.

Validation and detection

  • Inventory installed CCleaner versions and flag exact builds 5.33.6162 (32-bit) and Cloud 1.07.3191.
  • Search EDR/SIEM history for outbound connections to documented C2 hosts and monthly DGA domains.
  • Check registry and forensic artifacts described in Talos and Avast write-ups for second-stage indicators.
  • Confirm patched build is running and that auto-update channel is healthy on managed endpoints.
  • Cross-reference any matched hosts against Avast's published list of targeted second-stage organizations.
Prepared
Confidence
high
Sources
8

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-506: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2017-20201 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Critical
CVSS
9.3 (4.0)
Known Exploited
No
Published

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
9Source links

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
9.3CVSS 4.0CriticalCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:NPrimary CVE score

Vulnerability scoring details

Base CVSS 4.0 score

9.3Critical
CVSS 4.0 vector shape for CVE-2017-20201Attack VectorAttack ComplexityAttack RequirementsPrivileges RequiredUser InteractionVS ConfidentialityVS IntegrityVS AvailabilitySS ConfidentialitySS IntegritySS Availability

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Attack Requirements
NonePresent
Privileges Required
NoneLowHigh
User Interaction
NonePassiveActive
VS Confidentiality
HighLowNone
VS Integrity
HighLowNone
VS Availability
HighLowNone
SS Confidentiality
HighLowNone
SS Integrity
HighLowNone
SS Availability
HighLowNone
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
PiriformCCleaner5.33.6162unaffected
PiriformCCleaner Cloud1.07.3191unaffected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-506 · source CWE mapping

Embedded Malicious Code

Embedded Malicious Code represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.