CVE-2023-35841 Overview
CVE-2023-35841 is a high-severity privilege escalation vulnerability affecting the Phoenix WinFlash Driver on Windows. The driver exposes an I/O control (IOCTL) interface with insufficient access control, allowing a local low-privileged attacker to modify system firmware. The flaw is classified under [CWE-732] (Incorrect Permission Assignment for Critical Resource) and impacts all WinFlash Driver versions prior to 4.5.0.0. Successful exploitation grants kernel-level capabilities, including the ability to flash or alter UEFI/BIOS firmware, enabling persistence below the operating system. Vulnerable signed drivers like this one are commonly abused in Bring Your Own Vulnerable Driver (BYOVD) attacks.
Critical Impact
A local authenticated attacker can abuse the exposed IOCTL to execute privileged firmware operations, achieving kernel-level code execution and persistent firmware-level compromise.
Affected Products
- Phoenix WinFlash Driver versions before 4.5.0.0 on Windows
- Systems with the phoenixtech:winflash driver installed for firmware flashing operations
- OEM platforms shipping Phoenix-based firmware update utilities
Discovery Timeline
- 2024-05-14 - CVE-2023-35841 published to NVD
- 2025-09-25 - Last updated in NVD database
Technical Details for CVE-2023-35841
Vulnerability Analysis
The Phoenix WinFlash Driver is a kernel-mode component used to perform firmware flashing operations on Windows systems. Kernel drivers expose functionality to user mode through IOCTL codes, and these handlers must enforce strict access control to prevent abuse. In vulnerable WinFlash versions, the driver registers IOCTL handlers without sufficient checks on the calling process. A local user with standard privileges can open a handle to the driver device and issue privileged IOCTL requests. These requests allow direct interaction with firmware interfaces, including SPI flash read and write primitives. Because the driver runs in kernel context, any operation it performs bypasses Windows security boundaries. Attackers can leverage this to read or write physical memory, modify SMM regions, or persist malicious code in firmware that survives operating system reinstallation.
Root Cause
The root cause is missing or insufficient access control on the driver's exposed IOCTL interface. The driver does not restrict callers to administrative or SYSTEM contexts, nor does it validate that incoming requests originate from a trusted user-mode service. This permission misassignment is the defining characteristic of [CWE-732].
Attack Vector
Exploitation requires local access and low privileges on the target Windows system. An attacker opens the WinFlash driver device object, then issues crafted IOCTL requests to invoke firmware modification primitives. No user interaction is required. The vulnerability manifests through the driver's IOCTL dispatch routine. See the PhoenixTech CVE-2023-35841 Notification and the VMware Blog on Vulnerable Drivers for additional technical context on how vulnerable kernel drivers are abused in real-world intrusions.
Detection Methods for CVE-2023-35841
Indicators of Compromise
- Presence of older WinFlash driver binaries (versions earlier than 4.5.0.0) loaded on systems where firmware updates are not actively being performed
- Unexpected creation of device objects associated with the WinFlash driver by non-administrative processes
- Kernel driver load events for Phoenix WinFlash originating from temporary directories or user-writable paths
- Firmware integrity check failures or unexpected UEFI/BIOS modification events
Detection Strategies
- Inventory all signed kernel drivers across the fleet and flag instances of WinFlash driver versions below 4.5.0.0
- Monitor for DeviceIoControl calls targeting the WinFlash device by non-privileged or unexpected user processes
- Apply Microsoft's recommended vulnerable driver blocklist policies and Windows Defender Application Control (WDAC) rules
- Cross-reference loaded drivers against the LOLDrivers project database to identify known-abused versions
Monitoring Recommendations
- Enable kernel driver load auditing through Windows Event ID 6 (Sysmon) and forward events to a centralized logging platform
- Alert on driver installations performed outside of approved patch management or OEM update workflows
- Track firmware version changes through TPM measurements and platform attestation logs
- Review endpoint telemetry for processes opening handles to firmware-related device paths
How to Mitigate CVE-2023-35841
Immediate Actions Required
- Update Phoenix WinFlash Driver to version 4.5.0.0 or later on all affected systems
- Remove or quarantine legacy WinFlash driver binaries that are no longer needed for active firmware management
- Deploy the Microsoft vulnerable driver blocklist policy to block known-abused versions at the kernel loader
- Restrict local administrative access and monitor accounts that retain rights to load kernel drivers
Patch Information
Phoenix has released a fixed version of the WinFlash Driver. Customers should upgrade to version 4.5.0.0 or later. Refer to the Phoenix Security CVE-2023-35841 Alert and the PhoenixTech CVE-2023-35841 Notification for vendor remediation guidance. Additional impact analysis is available in the JVN Vulnerability Report JVNVU93886750.
Workarounds
- Uninstall the WinFlash driver on endpoints that do not require firmware update functionality
- Enforce Hypervisor-Protected Code Integrity (HVCI) and Memory Integrity to block loading of vulnerable drivers
- Apply Windows Defender Application Control policies that whitelist only the patched driver version by hash
- Restrict device object access through driver-level ACLs where vendor configuration permits
# Configuration example - verify driver version and apply blocklist policy
# Check installed WinFlash driver version on Windows
Get-WmiObject Win32_PnPSignedDriver | Where-Object {$_.DeviceName -like "*WinFlash*"} | Select-Object DeviceName, DriverVersion
# Enable Microsoft vulnerable driver blocklist via Windows Security
# Settings > Windows Security > Device security > Core isolation > Microsoft Vulnerable Driver Blocklist = On
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
