ClamAV is an open-source antivirus engine maintained by Cisco. As it is freely available, it is widely used across a large number of software products, like email servers, and appliances. This means that if an attacker can fully compromise the AV engine running in one of those products, they could access incoming and outgoing emails and for an appliance even control the network traffic of an organization. It is well known that AV engines expose a large, externally reachable attack surface as they parse a variety of file-formats, often coming from the Internet. On the other hand, modern mitigations make the exploitation of antivirus software significantly harder because remote attackers cannot interact with the target and thus can’t leak memory addresses. This talk is a case-study of reliably exploiting CVE-2023-20032, a heap-buffer-overflow as a remote-attacker and lessons learned from it. The exploit results in remote-code-execution impact and utilizes a unique exploit-technique to bypass ASLR that can be applied to similar targets.