CVE-2025-68947
Unknown Unknown - Not Provided
Privilege Escalation via IOCTL in NSecsoft NSecKrnl Driver

Publication date: 2026-01-13

Last updated on: 2026-01-13

Assigner: Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government

Description
NSecsoft 'NSecKrnl' is a Windows driver that allows a local, authenticated attacker to terminate processes owned by other users, including SYSTEM and Protected Processes by issuing crafted IOCTL requests to the driver.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-13
Last Modified
2026-01-13
Generated
2026-06-16
AI Q&A
2026-01-14
EPSS Evaluated
2026-06-15
NVD
CVE-2025-68947
EUVD
EUVD-2025-206286
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
nsecsoft nseckrnl *
shandong_anzai_information_technology nseckrnl *
nsecsoft nsecsoftbyovd *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-68947 is a vulnerability in the NSecsoft 'NSecKrnl' Windows driver that allows a local, authenticated attacker to terminate processes owned by other users, including SYSTEM and Protected Processes. The attacker issues specially crafted IOCTL requests to the driver, which then uses kernel functions to locate and terminate targeted processes. This vulnerability is exploited in a malicious campaign by ValleyRAT using a Bring Your Own Vulnerable Driver (BYOVD) technique, where a signed but vulnerable driver is loaded from a user-writable temporary directory. The driver listens for commands to terminate specific security-related processes, enabling attackers to disable endpoint security products persistently. [1, 2]

Impact Analysis

This vulnerability can allow attackers to disable security software on affected systems by terminating their processes, including antivirus and endpoint protection services. This can lead to a compromised system where malware or remote access trojans (RATs) can operate undetected, increasing the risk of data theft, system control loss, and further exploitation. The persistent termination of security processes makes detection and remediation more difficult, potentially allowing attackers to maintain long-term access. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68947. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart