CVE-2025-68947
Unknown Unknown - Not Provided

Privilege Escalation via IOCTL in NSecsoft NSecKrnl Driver

Vulnerability report for CVE-2025-68947, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-13

Last updated on: 2026-01-13

Assigner: Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government

Description

NSecsoft 'NSecKrnl' is a Windows driver that allows a local, authenticated attacker to terminate processes owned by other users, including SYSTEM and Protected Processes by issuing crafted IOCTL requests to the driver.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-13
Last Modified
2026-01-13
Generated
2026-07-06
AI Q&A
2026-01-14
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
nsecsoft nseckrnl *
shandong_anzai_information_technology nseckrnl *
nsecsoft nsecsoftbyovd *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2025-68947 is a vulnerability in the NSecsoft 'NSecKrnl' Windows driver that allows a local, authenticated attacker to terminate processes owned by other users, including SYSTEM and Protected Processes. The attacker issues specially crafted IOCTL requests to the driver, which then uses kernel functions to locate and terminate targeted processes. This vulnerability is exploited in a malicious campaign by ValleyRAT using a Bring Your Own Vulnerable Driver (BYOVD) technique, where a signed but vulnerable driver is loaded from a user-writable temporary directory. The driver listens for commands to terminate specific security-related processes, enabling attackers to disable endpoint security products persistently. [1, 2]

Impact Analysis

This vulnerability can allow attackers to disable security software on affected systems by terminating their processes, including antivirus and endpoint protection services. This can lead to a compromised system where malware or remote access trojans (RATs) can operate undetected, increasing the risk of data theft, system control loss, and further exploitation. The persistent termination of security processes makes detection and remediation more difficult, potentially allowing attackers to maintain long-term access. [1, 2]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68947. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart