Skip to main content
CVE Vulnerability Database

CVE-2026-0828: Safetica Privilege Escalation Vulnerability

CVE-2026-0828 is a privilege escalation vulnerability in Safetica's endpoint client that allows unprivileged users to terminate protected system processes. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-0828 Overview

CVE-2026-0828 is a kernel driver vulnerability in Safetica's endpoint client for Windows x64. The flaw exists in ProcessMonitorDriver.sys, shipped with versions 10.5.75.0 and 11.11.4.0. An unprivileged local user can abuse an exposed IOCTL (I/O control) path to terminate protected system processes. Successful exploitation disables security agents, antivirus services, and other tamper-protected processes that depend on the affected driver's trust boundary.

Critical Impact

An unprivileged user can terminate protected system processes on affected Safetica endpoints, undermining endpoint defenses and enabling further post-exploitation activity.

Affected Products

  • Safetica endpoint client x64, version 10.5.75.0
  • Safetica endpoint client x64, version 11.11.4.0
  • ProcessMonitorDriver.sys kernel driver shipped with the above releases

Discovery Timeline

  • 2026-06-26 - CVE-2026-0828 published to NVD
  • 2026-06-26 - Last updated in NVD database

Technical Details for CVE-2026-0828

Vulnerability Analysis

The vulnerability resides in ProcessMonitorDriver.sys, a Windows kernel-mode driver installed by the Safetica endpoint client. Kernel drivers expose functionality to user-mode code through IOCTL request handlers dispatched via DeviceIoControl. In affected builds, one such handler accepts termination requests without adequately validating the caller's privilege level or the identity of the target process.

An attacker running as a standard user opens a handle to the driver's device object and issues a crafted IOCTL. The driver then acts on behalf of the caller with kernel privileges, terminating processes that are otherwise protected by Windows Protected Process Light (PPL) or other tamper-protection mechanisms. This provides a Bring-Your-Own-Vulnerable-Driver (BYOVD) style primitive on any host where Safetica is installed.

Root Cause

The root cause is a missing authorization check in the IOCTL dispatch path of ProcessMonitorDriver.sys. The driver trusts user-mode input identifying a target process ID and invokes a kernel-mode termination routine without verifying the caller belongs to a privileged group or that the request originated from the Safetica management service.

Attack Vector

Exploitation requires code execution as an unprivileged local user on a host running the affected Safetica endpoint client. The attacker opens the driver device with CreateFile, then calls DeviceIoControl with the vulnerable IOCTL code and a process identifier. Technical details are documented in the CERT Vulnerability Advisory #818729.

No verified exploit code has been published. See the Safetica security resources and the CERT advisory for further reference.

Detection Methods for CVE-2026-0828

Indicators of Compromise

  • Unexpected termination of security agent processes, EDR services, or the Safetica agent itself on hosts where the driver is loaded.
  • Non-administrative user sessions opening handles to the ProcessMonitorDriver device object followed by DeviceIoControl calls.
  • Windows Event Log entries showing abnormal process exit codes for protected processes without corresponding service stop events.

Detection Strategies

  • Enable kernel driver telemetry to log IRP_MJ_DEVICE_CONTROL requests targeting ProcessMonitorDriver.sys from non-Safetica parent processes.
  • Correlate process termination events (Sysmon Event ID 5) for tamper-protected security processes with the presence of the Safetica driver on the host.
  • Hunt for user-mode processes running under standard user tokens that open handles to \\.\ProcessMonitorDriver or similar Safetica device paths.

Monitoring Recommendations

  • Inventory endpoints running Safetica versions 10.5.75.0 and 11.11.4.0 and flag them for prioritized patching.
  • Alert on any stop, crash, or unexpected exit of the local endpoint protection agent, particularly when initiated by a non-SYSTEM process.
  • Monitor for driver load events for ProcessMonitorDriver.sys on hosts outside the expected Safetica deployment scope.

How to Mitigate CVE-2026-0828

Immediate Actions Required

  • Identify all Windows x64 endpoints running Safetica versions 10.5.75.0 or 11.11.4.0 and schedule remediation.
  • Restrict local user code execution on affected hosts through application control policies until a fixed build is deployed.
  • Ensure secondary endpoint protection mechanisms remain active and monitored so that termination of the Safetica agent is detected immediately.

Patch Information

Refer to the vendor for a fixed release. Consult the Safetica vendor site and the CERT Vulnerability Advisory #818729 for update guidance and any interim vendor recommendations.

Workarounds

  • Where a patched version is not yet available, evaluate uninstalling or disabling the Safetica endpoint client on high-risk systems in coordination with the vendor.
  • Apply Microsoft's vulnerable driver blocklist and WDAC policies to prevent unauthorized loading of the affected ProcessMonitorDriver.sys versions.
  • Limit interactive logon on servers and sensitive workstations to reduce the pool of unprivileged users able to reach the driver's IOCTL interface.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.