Yes, wow, Comodo's commitment is shining through—two blockbuster releases in a single year!
Cheers to the fanatics and our resident lunatic! 
Three Unpatched Vulnerabilities Plague Comodo. Documented Online.
- Thread starter Trident
- Start date
- Status
Cheers to the fanatics and our resident lunatic! 
@bazang I don’t understand Melih.
Why not aim for creating a high quality product instead of pushing software that doesn’t even have permanent teams behind it?
You said you’ve lived in Turkey, Comodo reminds me awfully of Vestel.
I really don’t understand his mindset, does he not wanna make money? I mean he is making money but does he not wanna make more?
This would inevitably help the business products as well through the improved telemetry pipe.
The entire Comodo philosophy is just one very weird way of thinking and running a business.
Why not aim for creating a high quality product instead of pushing software that doesn’t even have permanent teams behind it?
You said you’ve lived in Turkey, Comodo reminds me awfully of Vestel.
I really don’t understand his mindset, does he not wanna make money? I mean he is making money but does he not wanna make more?
This would inevitably help the business products as well through the improved telemetry pipe.
The entire Comodo philosophy is just one very weird way of thinking and running a business.
Windows 10 support ends on October 14, 2025. it seems logic that you will do a much greater good, find a better "crusade", helping much more people, and all will shift focus on nagging people to shift from a no longer maintained OS (for free), with all those vulnerabilities and bugs that will not be patched.
Happy 14 October
Happy 14 October
F
ForgottenSeer 123960
I've been following this thread, I get it, people are so frustrated. It's easy for these things to get heated, but I think we're getting sidetracked. Maybe it's more useful to talk about what we should expect from any security company.
For me, it all comes down to trust. Choosing a security product isn't like buying a toaster, it's more like hiring a bodyguard. You're trusting a company to protect you 24/7. When they know about serious problems and the only answer is a vague "we're working on it" for months, that trust is broken. The product stops being an asset and starts feeling like a real risk.
And look, every piece of software has bugs. The real issue is whether the company has a solid, reliable process for fixing them. In the security industry, there’s a formal process for this, finding the bug, prioritizing it, patching it, and then telling us about it. The claim about "hundreds of unfixed bugs" suggests that this entire safety process has fallen apart, which is a massive red flag.
This is where the accusation of just giving the software a "facelift" for 2025 comes in. There's a term for this, "security theater." It's like putting a big, shiny new lock on a door with rotten wooden hinges. It looks impressive, but it does nothing to actually make you safer. A new version number needs to mean real security improvements, not just a fresh coat of paint.
At the end of the day, arguing won't get these bugs fixed. Evidence will. So, instead of getting personal, why don't we focus on the facts? Can anyone show the patch notes? Can we see the list of fixed CVEs? The conversation should be about proof, not passion. That's the only way we'll get real answers.
For me, it all comes down to trust. Choosing a security product isn't like buying a toaster, it's more like hiring a bodyguard. You're trusting a company to protect you 24/7. When they know about serious problems and the only answer is a vague "we're working on it" for months, that trust is broken. The product stops being an asset and starts feeling like a real risk.
And look, every piece of software has bugs. The real issue is whether the company has a solid, reliable process for fixing them. In the security industry, there’s a formal process for this, finding the bug, prioritizing it, patching it, and then telling us about it. The claim about "hundreds of unfixed bugs" suggests that this entire safety process has fallen apart, which is a massive red flag.
This is where the accusation of just giving the software a "facelift" for 2025 comes in. There's a term for this, "security theater." It's like putting a big, shiny new lock on a door with rotten wooden hinges. It looks impressive, but it does nothing to actually make you safer. A new version number needs to mean real security improvements, not just a fresh coat of paint.
At the end of the day, arguing won't get these bugs fixed. Evidence will. So, instead of getting personal, why don't we focus on the facts? Can anyone show the patch notes? Can we see the list of fixed CVEs? The conversation should be about proof, not passion. That's the only way we'll get real answers.
The bug fix process did not fall apart it's worse than that, it does not exist at all.
There are no logs and evidences, the changes in the new Comodo include Intel Threat Detection intertace (which by itself is a mere telemetry pipe and not something that automatically starts removing malware), new skin (highly similar to the previous one, most likely modified SCITER template) and that’s about it.
There is no evidence that anything is fixed, improved, promises that Valkyrie will be integrated were false, integration didn’t commence.
All in all, Comodo after 3.5 years with no updates (apart from adding daily hashes to the anti-malware database), Comodo re-compiled some classes (C#, C++, whatever), modified quickly one scitter template and re-released the product.
Such business practices are not illegal but also, don’t inspire trust and confidence in the product.
Oh and btw I wouldn’t just buy any toaster either.
There is no evidence that anything is fixed, improved, promises that Valkyrie will be integrated were false, integration didn’t commence.
All in all, Comodo after 3.5 years with no updates (apart from adding daily hashes to the anti-malware database), Comodo re-compiled some classes (C#, C++, whatever), modified quickly one scitter template and re-released the product.
Such business practices are not illegal but also, don’t inspire trust and confidence in the product.
Oh and btw I wouldn’t just buy any toaster either.
F
ForgottenSeer 116559
Considering how well maintained some free software is without selling subscriptions or receiving much other recompense, Comodo's deceptive presentation and "updates" don't sit that well with me either. An Xcitium employee confirmed that Comodo is discontinued in an email, but it sure doesn't seem that way from the Comodo side of things.
An Xcitium employee confirmed that the product is discontinued, but as of today, the page hasn’t been updated with any notices and all features of the page, including the check-out form are in an operational state.
So how come it’s discontinued but still on sale, that’s not how you discontinue. First the sales end, and only then the support.
The whole Comodo story is one circus and the dancing bears in this circus are only the Comodo users, unable to move on, holding on to this containment as if they are holding on to their dear life.
This is the crucial thing. Comodo has had several vulnerabilities over the last 15 years; however, the past vulnerabilities are not visible in the new CIS version.
The recommendation to avoid vulnerability is updating CIS to the next version, for example:
https://secalerts.co/vulnerability/CVE-2024-7251
https://nvd.nist.gov/vuln/detail/CVE-2024-7251#vulnConfigurationsArea
This suggests that Comodo fixes vulnerabilities by releasing a new version.
However, sceptics can say that this is only a tactic, and those vulnerabilities are still unpatched.
The only way to be sure is to ask people who discovered those older vulnerabilities or test them.
Last edited:
About Comodo bugs.
From February 2025 (last version published) until now, there have been 10 bugs reported, and half of them were not bugs at all. It does not seem like a big number for the new version. One bug was related to a CIS vulnerability and was fixed after two months. A few others are probably unpatched.
@Pico
What is the source of the 100 bugs mentioned in your post?
From February 2025 (last version published) until now, there have been 10 bugs reported, and half of them were not bugs at all. It does not seem like a big number for the new version. One bug was related to a CIS vulnerability and was fixed after two months. A few others are probably unpatched.
@Pico
What is the source of the 100 bugs mentioned in your post?
There was something on the comodo forum, someone had consolidated everything under a single post, but Comodo is very well known for deleting bug reports from the forum. It was much more than 100 actually. Last time I tried it, my system froze. I had to remove it in safe mode, fortunately it was before BitLocker key was required to enter safe mode.
I hope I get objective answers and not garbage like psycho, fanatic, etc.
I did post an image showing that Comodo had cut the internet connection (wait 99 seconds here, then delete the remote connection). I knew where it was coming from, so I was able to provoke it again. However, Comodo cut this one connection months before the new CVEs. The other two, for which I don't know who or what caused them, only appeared after the CVEs. So I assume there's a connection.
This proximity in time at least creates a connection. Why only one warning about remote access before, and then suddenly three?
And please, stay objective and don't say, "Here we have another fanboy, a fanatic." If I read anything about psychopaths or something about myself, I'll seriously consider filing a defamation lawsuit of the worst kind. The internet isn't a lawless space, or even completely anonymous. It's directed against a specific user who hopefully keeps quiet.
Cruelsister erklärt im comodoforum:
forums.comodo.com
Please don't just reply, just switch and your problem will be solved. I know this solution too. However, I've 1) invested a lot of time in Comodo and 2) have always been protected. Perhaps now again against CVE, as I wrote.
I know there can't be any concrete answers, probably just speculation, lacking further facts.
I did post an image showing that Comodo had cut the internet connection (wait 99 seconds here, then delete the remote connection). I knew where it was coming from, so I was able to provoke it again. However, Comodo cut this one connection months before the new CVEs. The other two, for which I don't know who or what caused them, only appeared after the CVEs. So I assume there's a connection.
This proximity in time at least creates a connection. Why only one warning about remote access before, and then suddenly three?
And please, stay objective and don't say, "Here we have another fanboy, a fanatic." If I read anything about psychopaths or something about myself, I'll seriously consider filing a defamation lawsuit of the worst kind. The internet isn't a lawless space, or even completely anonymous. It's directed against a specific user who hopefully keeps quiet.
Cruelsister erklärt im comodoforum:
CVEs reported for CIS 2025 - 12.3.4.8162
Dear New_Style_xd, I agree with you, why and it is important to find out what the reaction of the Xitium and COMODO developers is.
forums.comodo.com
Please don't just reply, just switch and your problem will be solved. I know this solution too. However, I've 1) invested a lot of time in Comodo and 2) have always been protected. Perhaps now again against CVE, as I wrote.
I know there can't be any concrete answers, probably just speculation, lacking further facts.
Last edited by a moderator:
The vulnerability itself doesn't need root access, the purpose of exploiting this vulnerability is to move vertically, from the least privilege possible (which is someone being on the network such as public network and so on). Then, Comodo poor verifications of their update content allow the execution of arbitrary code with very high privileges, something that should not happen.
The only thing here is the pre-requisite - the attacker must be on the network.
Then again, most of the attacks require pre-requisites, if it was as easy as typing a few lines on PowerShell, we would all be hackers and crackers.
The attack was then called "convoluted". These are naive statements. What's convoluted for Cruelsister, for an attacker that makes their living (having 2 houses, one flat somewhere on the seaside and 2-3 cars parked) and spend 16 hours a day working, for this sort of attackers it could be just few clicks.
Exploited or not, the process of Comodo not even verifying their update content, not even commenting on the vulnerability, let alone attempting to fix it should severely diminish the trust in Comodo.
Comodo is not professionally designed to a high standard.
The only thing here is the pre-requisite - the attacker must be on the network.
Then again, most of the attacks require pre-requisites, if it was as easy as typing a few lines on PowerShell, we would all be hackers and crackers.
The attack was then called "convoluted". These are naive statements. What's convoluted for Cruelsister, for an attacker that makes their living (having 2 houses, one flat somewhere on the seaside and 2-3 cars parked) and spend 16 hours a day working, for this sort of attackers it could be just few clicks.
Exploited or not, the process of Comodo not even verifying their update content, not even commenting on the vulnerability, let alone attempting to fix it should severely diminish the trust in Comodo.
Comodo is not professionally designed to a high standard.
In the meantime, my doubts have been reignited by all the reading and warnings, and I'm close to switching again. I've had a lot of positive experiences, but what good is that if something goes wrong at some point? I've done my research, and Bitdefender and Norton have already responded and closed the gap.
Thanks for your explanation. As I wrote, I'm concerned about security, not about Comodo.
Thanks for your explanation. As I wrote, I'm concerned about security, not about Comodo.
The "someone" person could post outdated bugs that are fixed in the CIS 2025.
I would rather believe people who use CIS 2025 and report bugs on MT or other forums.
In my opinion you are better off first, learning to be suspicious and cautious what you browse and execute and then you install reputable, actively maintained product that provides multi-layered security (starting from the web browser to behavioral blocking).
Stupid bugs were reported for other AVs, too. Although the history of the Comodo development may indicate a medium standard.
Yes, but the crucial question is whether the program is improved in this regard. Comodo's approach isn't bad, with its assumption that "everyone" is initially suspicious. Then they'll see who they can trust and let in. But cybercriminals, as you can see, aren't stupid either.Stupid bugs were reported for other AVs, too. Although the history of the Comodo development may indicate a medium standard.
However, Germany, where I live, is a popular target for cybercriminals, whether businesses or private individuals. And yet I haven't fallen victim yet. I don't know what percentage of those who have become private victims are.
Cybercrime is very broad term. Losses due to malware/spyware usually do not occur, there are secondary threats, for example once attackers steal your data they will sell it, once they sell it, you will be a target of scam calls. But cases where a home user has been infected by malware and has suffered financial loss (not data or other loss) as a direct result are very rare.
Hence, there is no point wasting time with software that is jam packed with vulnerabilities and bugs, software whose CEO is telling you "I know it has bugs, take it or leave it" and so on, when you can install quality software even for free. Like Avast Free, Bitdefender Free and so on. Just for a sandbox, it's not worth it.
- Status
You may also like...
-
Windows Active Directory Vulnerability Allows Attackers to Execute Malicious Code- Started by Brownie2019
- Replies: 1
-
Critical Windows Admin Center Vulnerability Allows Privilege Escalation- Started by Parkinsond
- Replies: 4
-
AVideo Platform Vulnerability Allows Hackers to Hijack Streams via Zero-Click Command Injection
- Started by Brownie2019
- Replies: 1
-
TeamViewer DEX Vulnerabilities Let Attackers Trigger DoS Attack and Expose Sensitive Data
- Started by Brownie2019
- Replies: 1
