Executive Summary

CVE-2026-12781 is a local privilege escalation vulnerability in EaseUS Partition Master version 14.5. It arises from a flaw in the kernel driver epmntdrv.sys, which exposes a device path allowing standard users to perform raw disk read and write operations without proper access controls.

Normally, users with medium integrity cannot access protected files or raw disks directly, but this driver bypasses those restrictions by forwarding requests to the lower storage stack without enforcing proper access validation.

This allows unprivileged users to read and overwrite administrator-only protected files, tamper with critical system files, registry hives, or service configurations, effectively escalating their privileges on the system.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow a local attacker with standard user privileges to escalate their privileges to administrator level by exploiting the kernel driver to read and write protected system files.

Such unauthorized access can lead to modification or corruption of critical system files, registry settings, or service configurations, potentially compromising system integrity, stability, and security.

Because the exploit is publicly available and the driver is signed and loaded via the official installer, the risk of exploitation is significant if the affected version is in use.

Upgrading to the latest version of EaseUS Partition Master, where this issue has been resolved, is recommended to mitigate this risk.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking for the presence and usage of the kernel driver epmntdrv.sys associated with EaseUS Partition Master version 14.5. Since the driver exposes a device path (\\.\EPMNTDRV\<disk>) that allows raw disk read and write operations, monitoring for access to this device path by non-administrative users can indicate exploitation attempts.

You can use Windows command-line tools to check if the driver is loaded and if the device path exists.

• Use the command `sc query epmntdrv` to check if the epmntdrv.sys driver service is running.
• Use `handle.exe` from Sysinternals to search for handles to \\.\EPMNTDRV\ device paths to see if any processes are accessing it.
• Use PowerShell to check for loaded drivers: `Get-WmiObject Win32_SystemDriver | Where-Object { $_.Name -eq 'epmntdrv' }`.

Additionally, monitoring for unusual read/write operations to physical drives or protected files by non-administrative users may help detect exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade EaseUS Partition Master to the latest version, as the vendor has confirmed that the issue has been resolved in versions after 14.5.

Since the exploit requires local access, restricting user permissions and limiting installation or execution of EaseUS Partition Master to trusted administrators can reduce risk.

If upgrading immediately is not possible, consider disabling or removing the epmntdrv.sys driver to prevent exploitation, but be aware this may impact the functionality of EaseUS Partition Master.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in EaseUS Partition Master allows local privilege escalation by bypassing access controls to protected files and system resources. This could enable unauthorized modification of sensitive data or system configurations.

Such unauthorized access and potential data tampering may lead to non-compliance with data protection standards and regulations like GDPR and HIPAA, which require strict controls over access to sensitive personal and health information.

However, the vulnerability requires local access and user interaction, and the vendor has released an updated version that resolves the issue.

Useful 0 Not Useful 0