CVE-2025-14963 Overview
A local privilege escalation vulnerability has been identified in the Trellix Endpoint Security HX Agent driver file fekern.sys. This vulnerability allows a threat actor with local user access to gain elevated system privileges by exploiting improper input validation in the driver. The attack leverages a Bring Your Own Vulnerable Driver (BYOVD) technique to access critical Windows process memory, specifically targeting lsass.exe (Local Security Authority Subsystem Service).
The fekern.sys driver is associated with the HX Agent and is present in all existing HX Agent versions. Notably, when installed as part of a fully functional HX Agent deployment, the vulnerable driver is not directly exploitable due to the product's tamper protection mechanism, which restricts communication with the driver to only the Agent's authorized processes.
Critical Impact
Successful exploitation enables attackers to escalate privileges to SYSTEM level, potentially accessing credential data stored in lsass.exe memory through BYOVD techniques.
Affected Products
- Trellix Endpoint Security (all versions with HX Agent)
- Trellix Endpoint Security version 35.31.0-37
- Trellix Endpoint Security version 36.30.0-17
Discovery Timeline
- 2026-02-24 - CVE-2025-14963 published to NVD
- 2026-02-26 - Last updated in NVD database
Technical Details for CVE-2025-14963
Vulnerability Analysis
This vulnerability stems from improper input validation (CWE-20) within the fekern.sys kernel-mode driver. The driver, designed to provide endpoint protection capabilities for the Trellix HX Agent, fails to properly validate certain inputs when processing IOCTL (Input/Output Control) requests. This weakness creates an attack surface that can be exploited through BYOVD (Bring Your Own Vulnerable Driver) techniques.
In a BYOVD attack scenario, threat actors deploy a standalone copy of the vulnerable fekern.sys driver on target systems where a fully functional HX Agent is not installed. Without the HX Agent's tamper protection mechanisms active, the attacker can freely communicate with the driver and leverage its elevated kernel privileges to access protected system memory regions.
The primary target of this exploitation is lsass.exe, the Windows Local Security Authority Subsystem Service, which stores authentication credentials in memory. By gaining kernel-level access through the vulnerable driver, attackers can dump credentials or perform other privileged operations that would normally require SYSTEM-level access.
Root Cause
The root cause of this vulnerability is improper input validation (CWE-20) within the fekern.sys driver's IOCTL handling routines. The driver does not adequately validate parameters passed from user-mode applications, allowing malicious inputs to influence kernel-mode operations. This design flaw, combined with the driver's inherent elevated privileges, creates a privilege escalation pathway.
The vulnerability is mitigated in normal deployment scenarios by the HX Agent's tamper protection, which restricts driver communication to authorized Agent processes. However, when the driver is loaded independently (BYOVD scenario), these protections are not present.
Attack Vector
The attack requires local access to the target system and follows a multi-stage exploitation process:
- Driver Deployment: The attacker obtains a copy of the vulnerable fekern.sys driver and loads it on a target system without an active HX Agent installation
- IOCTL Communication: The attacker crafts malicious IOCTL requests to communicate with the loaded driver
- Privilege Escalation: Through the driver's kernel-mode privileges, the attacker gains elevated access to system resources
- Credential Access: The attacker leverages the elevated privileges to read protected memory from lsass.exe, extracting authentication credentials
The local attack vector and requirement for the attacker to already have high privileges (to load a kernel driver) contribute to the medium severity rating. However, in environments where driver loading is less restricted or where the vulnerable driver file can be obtained, the impact remains significant.
Detection Methods for CVE-2025-14963
Indicators of Compromise
- Presence of fekern.sys driver loaded on systems without an active Trellix HX Agent installation
- Unusual driver loading events from non-standard directories or by non-administrative processes
- Suspicious IOCTL calls targeting the fekern driver from unknown processes
- Memory access attempts targeting lsass.exe from kernel-mode drivers
Detection Strategies
- Monitor for driver load events using Windows Event Log (Event ID 7045 for new service installations)
- Implement driver block rules for known vulnerable versions of fekern.sys using Windows Defender Application Control (WDAC)
- Deploy endpoint detection rules for BYOVD attack patterns targeting credential processes
- Audit and alert on suspicious lsass.exe memory access patterns
Monitoring Recommendations
- Enable kernel-mode driver loading auditing in Windows Security Event Logs
- Configure SIEM rules to correlate driver loading events with subsequent suspicious activity
- Monitor for unauthorized copies of fekern.sys appearing on endpoints outside of legitimate Trellix installations
- Implement honeypot detection for credential dumping attempts against lsass.exe
How to Mitigate CVE-2025-14963
Immediate Actions Required
- Review systems for unauthorized copies of fekern.sys driver files outside legitimate Trellix installations
- Ensure all Trellix Endpoint Security deployments have tamper protection enabled and active
- Implement application control policies to prevent unauthorized kernel driver loading
- Audit local administrator accounts and restrict driver loading privileges where possible
Patch Information
Trellix has published information regarding this vulnerability. Organizations should consult the Trellix Security Advisory for the latest guidance on affected versions and available updates. Ensure that all Trellix Endpoint Security installations are updated to the most recent version that addresses this vulnerability.
Workarounds
- Deploy Windows Defender Application Control (WDAC) policies to block loading of vulnerable fekern.sys driver versions
- Implement Credential Guard to protect lsass.exe memory from kernel-mode access
- Restrict local administrator privileges to limit the ability to load kernel drivers
- Use SentinelOne's Singularity platform to detect and block BYOVD attack techniques in real-time
# Configuration example
# Block vulnerable driver using WDAC - Add to your code integrity policy
# Identify the vulnerable driver hash and add to deny rules
# Example PowerShell to audit driver loading
Get-WinEvent -LogName "Microsoft-Windows-CodeIntegrity/Operational" |
Where-Object { $_.Id -eq 3004 -or $_.Id -eq 3033 } |
Select-Object TimeCreated, Message |
Format-Table -AutoSize
# Enable driver loading auditing
auditpol /set /subcategory:"Plug and Play Events" /success:enable /failure:enable
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
