CVE-2025-68947 Overview
CVE-2025-68947 is a driver vulnerability in NSecsoft's NSecKrnl Windows driver that enables a local, authenticated attacker to terminate processes owned by other users, including SYSTEM and Protected Processes, by issuing crafted IOCTL requests to the driver. This vulnerability represents a Bring Your Own Vulnerable Driver (BYOVD) attack surface that threat actors can exploit to disable endpoint security solutions and other critical system processes.
Critical Impact
Local attackers can terminate critical system processes, including security software and Protected Processes, enabling evasion of endpoint detection and response (EDR) solutions and facilitating further malicious activity.
Affected Products
- NSecsoft NSecKrnl Windows Driver
- Windows systems with the vulnerable driver installed
- Systems where the driver can be loaded by authenticated users
Discovery Timeline
- 2026-01-13 - CVE CVE-2025-68947 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2025-68947
Vulnerability Analysis
This vulnerability is classified under CWE-862 (Missing Authorization), indicating that the NSecKrnl driver fails to properly validate the authorization of requests to terminate processes. When an authenticated local user sends specially crafted IOCTL requests to the driver, it processes these requests without verifying whether the caller has legitimate authority to terminate the target process. This allows any local user to terminate processes running under different security contexts, including those running as SYSTEM or those designated as Protected Processes.
The vulnerability has been observed in the context of BYOVD (Bring Your Own Vulnerable Driver) attacks, where threat actors deploy the vulnerable driver to target systems specifically to abuse its process termination capabilities. According to Hexastrike's analysis, this technique has been leveraged by malware such as ValleyRat to disable endpoint security solutions.
Root Cause
The root cause of CVE-2025-68947 lies in the driver's IOCTL handler failing to implement proper authorization checks before executing process termination requests. The driver exposes a privileged operation (process termination with kernel-level access) to user-mode callers without validating:
- Whether the calling process has the necessary privileges to terminate the target process
- Whether the target process is a Protected Process that should not be terminated by user-mode requests
- Whether the caller owns or has legitimate access to the target process
This design flaw allows any authenticated user to leverage the driver's kernel-mode privileges to terminate arbitrary processes.
Attack Vector
The attack requires local access and authentication to the target system. An attacker must be able to load or access the vulnerable NSecKrnl driver and send IOCTL requests to it. The attack flow typically involves:
- The attacker obtains or deploys the vulnerable NSecKrnl driver on the target system
- The attacker opens a handle to the driver's device object
- The attacker crafts IOCTL requests specifying target process identifiers
- The driver executes the process termination with kernel-level privileges
- Target processes, including security software, are forcibly terminated
The vulnerability is particularly dangerous because it can terminate Protected Processes—a Windows security feature specifically designed to prevent tampering with critical security software. A proof-of-concept is available in the ANYLNK GitHub repository.
Detection Methods for CVE-2025-68947
Indicators of Compromise
- Presence of the NSecKrnl driver on systems where NSecsoft software is not legitimately installed
- Driver file with SHA256 hash 206f27ae820783b7755bca89f83a0fe096dbb510018dd65b63fc80bd20c03261 (see VirusTotal analysis)
- Unexpected termination of security software or SYSTEM processes
- IOCTL communications to the NSecKrnl device object from non-NSecsoft applications
Detection Strategies
- Monitor for driver loading events (Windows Event ID 7045) involving NSecKrnl or related driver names
- Implement driver blocklisting through Windows Defender Application Control (WDAC) or similar solutions
- Detect process termination events for protected security processes that should not be externally terminated
- Monitor for BYOVD attack patterns, including deployment of known vulnerable drivers
Monitoring Recommendations
- Enable and monitor Windows Driver Framework (WDF) and kernel driver loading logs
- Configure alerts for unexpected termination of EDR/security processes
- Implement application whitelisting to prevent unauthorized driver deployment
- Monitor for processes opening handles to the NSecKrnl device object
How to Mitigate CVE-2025-68947
Immediate Actions Required
- Remove or quarantine the vulnerable NSecKrnl driver from affected systems
- Block the driver by hash using Windows Defender Application Control (WDAC) or third-party driver blocklist solutions
- Enable Hypervisor-Protected Code Integrity (HVCI) to prevent loading of unsigned or vulnerable drivers
- Audit systems for the presence of the vulnerable driver file
Patch Information
Refer to the official CVE record and CISA CSAF advisory for the latest vendor patch information. Organizations should contact NSecsoft directly for remediation guidance and updated driver versions that address this vulnerability.
Workarounds
- Deploy driver blocklisting policies to prevent the vulnerable driver from loading
- Enable Secure Boot and require signed drivers to prevent unauthorized driver loading
- Implement least-privilege access controls to limit which users can install or load drivers
- Use virtualization-based security (VBS) features to protect critical processes from kernel-level termination
# Block vulnerable driver using Windows Defender Application Control (WDAC)
# Create a deny rule for the vulnerable driver by hash
New-CIPolicy -FilePath "C:\Policies\NSecKrnlBlock.xml" -Level Hash -ScanPath "C:\VulnerableDriver\"
Set-RuleOption -FilePath "C:\Policies\NSecKrnlBlock.xml" -Option 3
ConvertFrom-CIPolicy "C:\Policies\NSecKrnlBlock.xml" "C:\Policies\NSecKrnlBlock.bin"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
