CVE-2025-14963
Received Received - Intake
Privilege Escalation via Vulnerable Trellix HX Agent Driver (fekern.sys

Publication date: 2026-02-24

Last updated on: 2026-02-26

Assigner: Trellix

Description
A vulnerability identified in the HX Agent driver file fekern.sys allowed a threat actor with local user access the ability to gain elevated system privileges. Utilization of a Bring Your Own Vulnerable Driver (BYOVD) was leveraged to gain access to the critical Windows process memory lsass.exe (Local Security Authority Subsystem Service). The fekern.sys is a driver file associated with the HX Agent (used in all existing HX Agent versions). The vulnerable driver installed in a product or a system running a fully functional HX Agent is, itself, not exploitable as the product’s tamper protection restricts the ability to communicate with the driver to only the Agent’s processes.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-24
Last Modified
2026-02-26
Generated
2026-05-07
AI Q&A
2026-02-24
EPSS Evaluated
2026-05-05
NVD
CVE-2025-14963
EUVD
EUVD-2025-208089
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
trellix endpoint_security From 30.0.0 (inc) to 34.0.0 (inc)
trellix endpoint_security 35.31.0-37
trellix endpoint_security 36.30.0-17
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Trellix HX Agent driver file fekern.sys, which allows a threat actor with local user access to gain elevated system privileges.

The attack involves using a Bring Your Own Vulnerable Driver (BYOVD) technique to access the critical Windows process memory of lsass.exe (Local Security Authority Subsystem Service).

However, the vulnerable driver itself is not exploitable when installed in a system running the fully functional HX Agent because the product's tamper protection restricts communication with the driver to only the agent's own processes.


How can this vulnerability impact me? :

If exploited, this vulnerability could allow a local user to gain elevated system privileges, potentially leading to unauthorized access to sensitive system processes such as lsass.exe.

This elevated access could enable an attacker to extract sensitive information or perform actions with higher privileges than intended.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

I don't know


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart