Executive Summary

This vulnerability exists in the eudskacs.sys driver version 20250328, part of EaseUS Todo Backup 1.2.0.1. The driver does not properly check user privileges for certain input/output requests (IRP_MJ_READ and IRP_MJ_WRITE) to its device object. Because of this, a local attacker with low privileges can perform arbitrary raw disk reads and writes, which normally require higher privileges. [1]

Useful 0 Not Useful 0

Impact Analysis

An attacker exploiting this vulnerability can read and write raw disk data arbitrarily. This can lead to disclosure of sensitive information such as critical system files (including SAM and SYSTEM registry hives), cause denial of service by corrupting data or system state, or escalate their privileges on the affected system, potentially gaining full control. [1]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking for the presence of the vulnerable eudskacs.sys driver version 20250328 installed on the system. Since the vulnerability involves improper privilege validation for I/O requests to the device object of this driver, detection involves verifying the driver version and its loaded status. Specific commands to detect the driver include using system tools to list loaded drivers, such as 'sc query eudskacs' or 'driverquery' on Windows systems. Additionally, checking the driver file version in the system drivers directory can help confirm if the vulnerable version is present. [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include removing or disabling the vulnerable eudskacs.sys driver version 20250328 from the system, or upgrading EaseUS Todo Backup to a version that does not include this vulnerable driver. Restricting local user access to prevent exploitation and monitoring for suspicious activity related to raw disk reads and writes can also help mitigate risk until a patch or update is applied. [1]

Useful 0 Not Useful 0