CVE-2025-45737
BaseFortify
Publication date: 2025-06-27
Last updated on: 2025-10-15
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| netease | neacsafe64 | to 1.0.0.8 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-45737 is a vulnerability in the NeacSafe64.sys driver, part of NetEase's anti-cheat solution for PC games. The driver exposes message handlers that allow attackers to perform arbitrary kernel-space memory read and write operations. By sending crafted IOCTL commands, an attacker can inject shellcode into kernel memory, hijack function pointers, and execute arbitrary code with SYSTEM-level privileges, effectively escalating their privileges on the system. [1]
How can this vulnerability impact me? :
This vulnerability allows a local attacker to escalate their privileges to SYSTEM level by exploiting the NeacSafe64.sys driver. This means an attacker could execute arbitrary code in kernel mode, potentially leading to full control over the affected system, including reading or modifying memory of other processes, changing memory page attributes, and terminating processes. Such control can compromise system integrity, confidentiality, and availability. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking the version of the NeacSafe64.sys driver installed on the system. Versions prior to v1.0.0.8 are vulnerable. Additionally, running the NeacController.exe tool can help verify the presence of the vulnerable driver. For detection, you can check loaded drivers with commands like 'driverquery' or 'sc query NeacSafe64' on Windows. Monitoring for unusual IOCTL commands (Opcode 14 and 70) sent to NeacSafe64.sys could also indicate exploitation attempts. Using a debugger or kernel crash analysis tools to detect the INT3 breakpoint (0xCC) or BSOD caused by crafted IOCTLs can further confirm exploitation. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the NeacSafe64.sys driver to version 1.0.0.8 or later, which contains the fix for this vulnerability. If an update is not immediately available, consider disabling or uninstalling the NeacSafe64 driver and related components (such as NeacController.exe) to prevent exploitation. Restrict local user access to prevent unprivileged users from sending crafted IOCTL commands to the driver. Monitoring and blocking suspicious IOCTL traffic targeting Opcode 14 and 70 can also help mitigate exploitation attempts. [1]