CVE-2026-0828 Overview
CVE-2026-0828 is a kernel driver vulnerability in Safetica's endpoint client for Windows x64. The flaw exists in ProcessMonitorDriver.sys, shipped with versions 10.5.75.0 and 11.11.4.0. An unprivileged local user can abuse an exposed IOCTL (I/O control) path to terminate protected system processes. Successful exploitation disables security agents, antivirus services, and other tamper-protected processes that depend on the affected driver's trust boundary.
Critical Impact
An unprivileged user can terminate protected system processes on affected Safetica endpoints, undermining endpoint defenses and enabling further post-exploitation activity.
Affected Products
- Safetica endpoint client x64, version 10.5.75.0
- Safetica endpoint client x64, version 11.11.4.0
- ProcessMonitorDriver.sys kernel driver shipped with the above releases
Discovery Timeline
- 2026-06-26 - CVE-2026-0828 published to NVD
- 2026-06-26 - Last updated in NVD database
Technical Details for CVE-2026-0828
Vulnerability Analysis
The vulnerability resides in ProcessMonitorDriver.sys, a Windows kernel-mode driver installed by the Safetica endpoint client. Kernel drivers expose functionality to user-mode code through IOCTL request handlers dispatched via DeviceIoControl. In affected builds, one such handler accepts termination requests without adequately validating the caller's privilege level or the identity of the target process.
An attacker running as a standard user opens a handle to the driver's device object and issues a crafted IOCTL. The driver then acts on behalf of the caller with kernel privileges, terminating processes that are otherwise protected by Windows Protected Process Light (PPL) or other tamper-protection mechanisms. This provides a Bring-Your-Own-Vulnerable-Driver (BYOVD) style primitive on any host where Safetica is installed.
Root Cause
The root cause is a missing authorization check in the IOCTL dispatch path of ProcessMonitorDriver.sys. The driver trusts user-mode input identifying a target process ID and invokes a kernel-mode termination routine without verifying the caller belongs to a privileged group or that the request originated from the Safetica management service.
Attack Vector
Exploitation requires code execution as an unprivileged local user on a host running the affected Safetica endpoint client. The attacker opens the driver device with CreateFile, then calls DeviceIoControl with the vulnerable IOCTL code and a process identifier. Technical details are documented in the CERT Vulnerability Advisory #818729.
No verified exploit code has been published. See the Safetica security resources and the CERT advisory for further reference.
Detection Methods for CVE-2026-0828
Indicators of Compromise
- Unexpected termination of security agent processes, EDR services, or the Safetica agent itself on hosts where the driver is loaded.
- Non-administrative user sessions opening handles to the ProcessMonitorDriver device object followed by DeviceIoControl calls.
- Windows Event Log entries showing abnormal process exit codes for protected processes without corresponding service stop events.
Detection Strategies
- Enable kernel driver telemetry to log IRP_MJ_DEVICE_CONTROL requests targeting ProcessMonitorDriver.sys from non-Safetica parent processes.
- Correlate process termination events (Sysmon Event ID 5) for tamper-protected security processes with the presence of the Safetica driver on the host.
- Hunt for user-mode processes running under standard user tokens that open handles to \\.\ProcessMonitorDriver or similar Safetica device paths.
Monitoring Recommendations
- Inventory endpoints running Safetica versions 10.5.75.0 and 11.11.4.0 and flag them for prioritized patching.
- Alert on any stop, crash, or unexpected exit of the local endpoint protection agent, particularly when initiated by a non-SYSTEM process.
- Monitor for driver load events for ProcessMonitorDriver.sys on hosts outside the expected Safetica deployment scope.
How to Mitigate CVE-2026-0828
Immediate Actions Required
- Identify all Windows x64 endpoints running Safetica versions 10.5.75.0 or 11.11.4.0 and schedule remediation.
- Restrict local user code execution on affected hosts through application control policies until a fixed build is deployed.
- Ensure secondary endpoint protection mechanisms remain active and monitored so that termination of the Safetica agent is detected immediately.
Patch Information
Refer to the vendor for a fixed release. Consult the Safetica vendor site and the CERT Vulnerability Advisory #818729 for update guidance and any interim vendor recommendations.
Workarounds
- Where a patched version is not yet available, evaluate uninstalling or disabling the Safetica endpoint client on high-risk systems in coordination with the vendor.
- Apply Microsoft's vulnerable driver blocklist and WDAC policies to prevent unauthorized loading of the affected ProcessMonitorDriver.sys versions.
- Limit interactive logon on servers and sensitive workstations to reduce the pool of unprivileged users able to reach the driver's IOCTL interface.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

