CVE-2025-67790
Unterminated String IOCTL Causes BSOD in DriveLock Windows
Publication date: 2025-12-17
Last updated on: 2025-12-18
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| drivelock | drivelock | From 24.1 (inc) to 24.1.6 (exc) |
| drivelock | drivelock | From 24.2 (inc) to 24.2.7 (exc) |
| drivelock | drivelock | From 25.1 (inc) to 25.1.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-170 | The product does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a buffer overread issue in the DriveLock Driver on Windows endpoints. It occurs when a local non-privileged user sends crafted IOCTL calls containing unterminated wide strings. The driver fails to properly validate these strings, which can cause a buffer overread and lead to a Blue Screen of Death (BSOD), resulting in a denial of service. [1]
How can this vulnerability impact me? :
The vulnerability can cause a Blue Screen of Death (BSOD) on affected Windows systems, leading to a denial of service. This means that an unprivileged local user could crash the system occasionally, impacting system availability. The impact on confidentiality is none, integrity is low, and availability is low. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is exploitable locally via crafted IOCTL calls by non-privileged users. Detection involves monitoring for unusual or malformed IOCTL requests to the DriveLock driver on Windows endpoints. Specific commands are not provided, but system administrators should audit IOCTL calls and look for attempts to pass unterminated wide strings to the driver. Endpoint monitoring tools that track IOCTL usage or Windows Event Logs related to driver errors or BSOD events may help identify exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating DriveLock to the patched versions: 24.1.6, 24.2.7, or 25.1.5. Until updates can be applied, restrict local access to trusted users only, implement application control to prevent untrusted code execution, and harden endpoints to limit exposure of the IOCTL interface. These measures reduce the risk of exploitation by making it difficult for local non-privileged users to trigger the vulnerability. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.