MediumPublic exploit

Privilege Escalation in Genshin Impact mhyprot2.sys anti-cheat driver

IdentifiersCVE-2020-36603CWE-269· Improper Privilege Management

The HoYoVerse (formerly miHoYo) Genshin Impact anti-cheat driver mhyprot2.sys version 1.0.0.0 inadequately restricts access to privileged driver functionality. According to the provided content, local unprivileged users can invoke exposed driver functionality to perform arbitrary code execution with SYSTEM privileges on Microsoft Windows. The issue stems from insufficient restriction of unprivileged function calls to the kernel driver, enabling abuse of the signed anti-cheat component after it has been installed. Supporting context also indicates publicly available tooling can leverage the flaw to read and write kernel and user memory, enumerate threads, and terminate processes via ZwTerminateProcess.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation results in local privilege escalation from an unprivileged user context to SYSTEM on affected Windows systems. Because the vulnerable driver exposes powerful kernel-mediated capabilities, an attacker can achieve arbitrary code execution with elevated privileges and perform post-exploitation actions such as arbitrary memory read/write and process termination. The provided context further notes that this capability has been abused to disable antivirus or EDR-related processes, making it useful for defense evasion and ransomware operations.

Mitigation

If you can’t patch tonight, do this now.

Restrict administrative rights so untrusted users cannot install kernel drivers in the first place, since the vulnerable driver must be installed by an administrator before it can be abused. Enable HVCI/Memory Integrity and Microsoft’s vulnerable driver blocklist where operationally feasible. Use WDAC/AppLocker or equivalent controls to prevent loading of unnecessary third-party kernel drivers, monitor for the presence or loading of mhyprot2.sys, and alert on suspicious access patterns consistent with BYOVD abuse, including unexpected process termination of security tools and anomalous kernel driver loads.

Remediation

Patch, then assume compromise.

Remove or update the vulnerable mhyprot2.sys 1.0.0.0 driver where possible, and ensure the affected Genshin Impact anti-cheat component is no longer present in environments where it is not required. Prevent loading of known-vulnerable signed drivers through Microsoft’s vulnerable driver blocklist or equivalent application control policy. If vendor-fixed versions or removal guidance are available from HoYoVerse/miHoYo, apply those updates and verify the vulnerable driver is no longer loadable.

PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 1 candidate as fakes, detection scripts, or README-only repos.

VALID 0 / 1 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

HoyoverseMhyprot2application

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

sdsgNews

Mar 22, 2026

ESETの公開した90種類以上のEDR Killerを調査した記事を読んで思ったこと - Slapdash Safeguards

A vulnerability in the Genshin Impact anti-cheat driver mhyprot2.sys that can be abused in BYOVD attacks to read/write memory and terminate processes, including disabling security tools.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2020-36603

NVD

nvd.nist.gov/vuln/detail/CVE-2020-36603

MITRE CWE · CWE-269

Improper Privilege Management

Third Party Advisory

github.com/kagurazakasanae/Mhyprot2DrvControl

Third Party Advisory

github.com/kkent030315/evil-mhyprot-cli

Third Party Advisory

web.archive.org/web/20211204031301/https://www.godeye.club/2021/05/20/001-disclosure-mhyprot.html

Third Party Advisory

trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html

Third Party Advisory

vice.com/en/article/y3p35w/hackers-are-using-anti-cheat-in-genshin-impact-to-ransom-victims