CVE-2025-60349 Overview
A denial of service vulnerability has been discovered in Prevx v3.0.5.220 that allows attackers to terminate arbitrary processes by sending a specially crafted IOCTL code to the pxscan.sys driver. The vulnerability exists in the handling of IOCTL code 0x22E044, which when triggered, terminates any processes listed under the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\pxscan\Files.
Critical Impact
Attackers can exploit this vulnerability to cause denial of service conditions by terminating critical system processes or security software, potentially leaving systems unprotected or causing service disruptions.
Affected Products
- Prevx v3.0.5.220
- Systems with the pxscan.sys driver installed
Discovery Timeline
- 2025-10-28 - CVE CVE-2025-60349 published to NVD
- 2025-10-30 - Last updated in NVD database
Technical Details for CVE-2025-60349
Vulnerability Analysis
This vulnerability is classified under CWE-400 (Uncontrolled Resource Consumption), though in this specific case it manifests as improper access control in a kernel-mode driver. The pxscan.sys driver in Prevx v3.0.5.220 fails to properly validate and restrict access to dangerous IOCTL operations.
When an attacker sends IOCTL code 0x22E044 to the driver, it triggers process termination for any processes registered under the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\pxscan\Files registry key. This can be exploited remotely via network attack vectors without requiring user interaction or privileges, making it particularly dangerous for exposed systems.
Root Cause
The root cause of this vulnerability lies in the insufficient access control and input validation within the pxscan.sys driver's IOCTL handler. The driver does not properly verify the caller's authorization before executing the process termination routine associated with IOCTL code 0x22E044. This allows any user or process that can communicate with the driver to trigger the dangerous functionality.
Attack Vector
The vulnerability is exploitable via network-based attack vectors. An attacker can craft and send the specific IOCTL code 0x22E044 to the pxscan.sys driver. Upon receiving this IOCTL, the driver enumerates the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\pxscan\Files and terminates all processes listed there. This can be abused to:
- Terminate security software processes, disabling endpoint protection
- Cause denial of service by killing critical system processes
- Disrupt business operations by terminating application processes
A proof-of-concept exploit is available on GitHub, demonstrating the practical exploitability of this vulnerability.
Detection Methods for CVE-2025-60349
Indicators of Compromise
- Unexpected process terminations, particularly security software or critical services
- IOCTL communications to pxscan.sys driver from untrusted or unusual processes
- Modifications to the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\pxscan\Files
- System instability or repeated service crashes without apparent cause
Detection Strategies
- Monitor for IOCTL calls to the pxscan.sys driver, specifically looking for IOCTL code 0x22E044
- Implement registry auditing on HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\pxscan\Files to detect unauthorized changes
- Deploy endpoint detection rules that alert on unexpected process terminations following driver communication
- Use behavioral analysis to identify patterns consistent with DoS attacks targeting kernel drivers
Monitoring Recommendations
- Enable Windows Driver Framework (WDF) logging to capture IOCTL activity to kernel drivers
- Configure SIEM rules to correlate multiple process termination events within short time windows
- Implement file integrity monitoring for the pxscan.sys driver file
- Monitor network traffic for potential remote exploitation attempts targeting driver interfaces
How to Mitigate CVE-2025-60349
Immediate Actions Required
- Assess whether Prevx v3.0.5.220 is installed in your environment and identify affected systems
- Consider temporarily disabling or unloading the pxscan.sys driver if not critical to operations
- Implement network segmentation to limit exposure of vulnerable endpoints
- Monitor for exploitation attempts using the detection strategies outlined above
- Evaluate alternative security solutions if Prevx is providing critical protection functionality
Patch Information
At the time of this writing, no official patch information has been provided by the vendor. Organizations should monitor the Prevx website for security updates and patch releases. Given the severity of this vulnerability, immediate workarounds should be implemented while awaiting an official fix.
Workarounds
- Restrict access to the pxscan.sys driver through Windows access control mechanisms
- Use Windows Defender Application Control (WDAC) or AppLocker to block untrusted applications from communicating with the driver
- Implement network-level controls to prevent remote exploitation attempts
- Consider uninstalling Prevx v3.0.5.220 if the functionality is not critical and no patch is available
- Deploy compensating controls such as additional endpoint protection solutions to maintain security coverage
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
