CVE-2025-70795 Overview
A driver vulnerability exists in STProcessMonitor 11.11.4.0, part of the Safetica Application suite, that allows privileged users to send crafted IOCTL requests to terminate processes protected by third-party implementations. This vulnerability stems from insufficient caller validation in the driver's IOCTL handler, enabling unauthorized processes to perform kernel-space operations that can disrupt critical services.
Critical Impact
Successful exploitation enables denial of service attacks by allowing unauthorized process termination of protected third-party services and applications through kernel-level driver manipulation.
Affected Products
- STProcessMonitor 11.11.4.0
- Safetica Application Suite (containing vulnerable driver)
Discovery Timeline
- 2026-04-17 - CVE CVE-2025-70795 published to NVD
- 2026-04-17 - Last updated in NVD database
Technical Details for CVE-2025-70795
Vulnerability Analysis
This vulnerability is classified under CWE-269 (Improper Privilege Management) and represents a driver-level security flaw in the STProcessMonitor component. The core issue lies in the IOCTL handler's failure to properly validate the identity and privileges of calling processes before executing sensitive kernel-space operations.
When unauthorized processes load the vulnerable driver, they can send a specially crafted IOCTL request using the control code 0xB822200C. Due to the absence of proper caller validation, the driver accepts and processes this request, allowing the attacker to terminate processes that are supposed to be protected by third-party security implementations.
The local attack vector requires an attacker to have existing access to the target system. Once local access is obtained, exploitation can be achieved with low complexity and without requiring user interaction.
Root Cause
The root cause of CVE-2025-70795 is insufficient caller validation in the driver's IOCTL handler routine. The STProcessMonitor.sys driver fails to verify whether the process sending IOCTL requests has legitimate authorization to perform protected operations. This missing validation allows any local process with sufficient privileges to load the driver and issue commands that should be restricted to authorized Safetica components only.
This type of vulnerability is commonly observed in "Living off the Land Drivers" (LOLDrivers), where legitimate signed drivers contain security weaknesses that can be exploited by attackers to perform malicious actions while bypassing security controls.
Attack Vector
The attack leverages the local system access to interact with the vulnerable kernel driver. An attacker with local privileges can:
- Load the STProcessMonitor.sys driver into the kernel
- Open a handle to the driver device object
- Send a crafted IOCTL request with control code 0xB822200C
- Specify the process ID of a protected target process
- Trigger the driver to terminate the specified process, bypassing third-party protection mechanisms
The exploitation requires crafting an IOCTL request with the specific control code 0xB822200C that targets the vulnerable handler. Since the driver operates in kernel space, successful exploitation allows the attacker to terminate processes that would otherwise be protected by security software or other third-party implementations.
Detection Methods for CVE-2025-70795
Indicators of Compromise
- Unexpected loading of STProcessMonitor.sys driver outside normal Safetica application operations
- Process termination events affecting security software or protected services without corresponding application errors
- IOCTL requests to STProcessMonitor driver from processes not associated with Safetica software
- Anomalous driver load events followed immediately by protected process termination
Detection Strategies
- Monitor for driver load events involving STProcessMonitor.sys from unexpected parent processes or locations
- Implement driver signing verification and allowlisting to detect unauthorized use of the vulnerable driver
- Deploy endpoint detection rules for IOCTL calls to STProcessMonitor devices from non-Safetica processes
- Use behavioral analytics to correlate driver loads with subsequent unexpected process termination events
Monitoring Recommendations
- Enable Windows kernel auditing to capture driver load events and IOCTL communications
- Configure SentinelOne to monitor for suspicious driver activity and process termination patterns
- Establish baseline behavior for Safetica components to identify anomalous driver interactions
- Review VirusTotal analysis reports for driver file hashes to identify known vulnerable versions
How to Mitigate CVE-2025-70795
Immediate Actions Required
- Audit systems for the presence of STProcessMonitor version 11.11.4.0 and remove or restrict access to the vulnerable driver
- Implement application control policies to prevent unauthorized loading of the vulnerable driver
- Monitor for exploitation attempts using endpoint detection and response tools
- Review and restrict local administrative privileges to minimize the attack surface
Patch Information
Organizations should contact Safetica for updated versions of the STProcessMonitor driver that include proper caller validation in the IOCTL handler. Review the GitHub LOLDrivers Issue #268 and the LOLDrivers commit for additional technical details and community tracking of this vulnerability.
Additional analysis of the vulnerable driver files is available through VirusTotal: File Analysis #70bcec00, File Analysis #9ace6a1e, and File Analysis #fc358848.
Workarounds
- Block or remove the vulnerable STProcessMonitor.sys driver from systems where Safetica functionality is not required
- Implement Windows Defender Application Control (WDAC) or similar policies to restrict driver loading to authorized binaries
- Use driver blocklist capabilities in endpoint security solutions to prevent the vulnerable driver from loading
- Restrict local administrator access to limit the ability to load kernel drivers
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
