CVE-2025-14963 Overview
CVE-2025-14963 affects the Trellix HX Agent driver file fekern.sys, present in all existing HX Agent versions. A local user with prior access can leverage the driver in a Bring Your Own Vulnerable Driver (BYOVD) scenario to gain elevated system privileges. Successful exploitation enables access to the memory of lsass.exe (Local Security Authority Subsystem Service), a critical Windows process that holds authentication secrets.
The driver installed alongside a fully functional HX Agent is not directly exploitable. The product's tamper protection restricts driver communication to the Agent's own processes. The risk emerges when the vulnerable driver is copied and loaded on a separate system without those protections.
Critical Impact
Local attackers can abuse fekern.sys as a BYOVD to read lsass.exe memory and escalate to SYSTEM-level privileges.
Affected Products
- Trellix Endpoint Security (HX Agent), all existing versions
- Trellix Endpoint Security 35.31.0-37
- Trellix Endpoint Security 36.30.0-17
Discovery Timeline
- 2026-02-24 - CVE-2025-14963 published to NVD
- 2026-02-26 - Last updated in NVD database
Technical Details for CVE-2025-14963
Vulnerability Analysis
The vulnerability resides in fekern.sys, a kernel-mode driver shipped with the Trellix HX Agent. The driver exposes functionality that, when reachable from user mode, allows a caller to interact with protected kernel structures and read sensitive process memory. The classification maps to [CWE-20] Improper Input Validation, indicating the driver does not adequately validate requests it receives.
In a deployed HX Agent environment, tamper protection brokers all driver communication through Agent processes. An attacker cannot directly invoke the driver's interfaces on a protected host. The exploitable scenario is BYOVD: the attacker extracts fekern.sys and loads it on a target system that lacks the HX Agent's tamper protection layer. Once loaded, the driver operates with kernel privileges and the attacker controls the message channel.
With kernel access through the driver, the attacker reads memory regions belonging to lsass.exe. This process stores credential material including NTLM hashes, Kerberos tickets, and cached domain credentials, enabling lateral movement and privilege escalation.
Root Cause
The driver accepts input from user-mode callers without sufficient validation, permitting requests that grant access to arbitrary process memory. Because the driver is signed, it can be loaded on Windows systems that enforce driver signature verification, satisfying a prerequisite for BYOVD attacks.
Attack Vector
Exploitation requires local access and high privileges to install a kernel driver. The attacker stages fekern.sys on the target, loads it through the Service Control Manager or equivalent mechanism, then issues crafted IOCTL requests to access lsass.exe memory. User interaction is not required.
No verified public proof-of-concept code is available. Refer to the Trellix advisory for vendor-supplied technical detail.
Detection Methods for CVE-2025-14963
Indicators of Compromise
- Presence of fekern.sys on a host that does not have a legitimate Trellix HX Agent installation
- Service creation events registering fekern.sys outside of the standard Trellix installation path
- Unexpected kernel driver load events referencing the Trellix-signed driver on non-Trellix endpoints
- Process handles to lsass.exe originating from non-standard parents shortly after driver load
Detection Strategies
- Monitor Windows event ID 7045 and Sysmon event ID 6 for new kernel driver service installations and driver loads
- Hunt for the file hash and authenticode signature of fekern.sys on systems lacking Trellix product installation
- Correlate driver load events with subsequent suspicious access requests to lsass.exe
- Apply Microsoft's vulnerable driver blocklist and confirm that fekern.sys is included after the vendor coordinates with Microsoft
Monitoring Recommendations
- Enable kernel-mode driver telemetry across endpoints and forward to a centralized analytics platform
- Alert on lsass.exe handle open events that request PROCESS_VM_READ from unsigned or recently installed parent processes
- Track filesystem writes that place .sys files into world-writable locations followed by service registration
How to Mitigate CVE-2025-14963
Immediate Actions Required
- Upgrade Trellix Endpoint Security HX Agent to the fixed build identified in the vendor advisory
- Enforce Microsoft's recommended driver blocklist policy to prevent loading of known vulnerable drivers
- Restrict local administrative privileges to limit the population of users able to load kernel drivers
- Audit endpoints for stray copies of fekern.sys outside of authorized Trellix installation directories
Patch Information
Trellix has published guidance and remediation details in Trellix Knowledge Base article 000015100. Apply the vendor-supplied HX Agent update across all managed endpoints. Versions 35.31.0-37 and 36.30.0-17 are explicitly identified in the affected product list.
Workarounds
- Enable Windows Hypervisor-Protected Code Integrity (HVCI) to block unsigned and known vulnerable drivers from loading
- Deploy Windows Defender Application Control (WDAC) policies that explicitly deny the vulnerable fekern.sys hash
- Remove local administrator rights from standard user accounts to raise the bar for driver installation
# Example: apply Microsoft's recommended vulnerable driver blocklist via PowerShell
# Confirms HVCI and the driver blocklist are enforced on the host
Set-MpPreference -EnableControlledFolderAccess Enabled
reg add "HKLM\SYSTEM\CurrentControlSet\Control\CI\Config" /v VulnerableDriverBlocklistEnable /t REG_DWORD /d 1 /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
