MediumPublic exploit

Arbitrary privileged process termination via K7 Security K7RKScan.sys IOCTLs

IdentifiersCVE-2025-1055CWE-862· Missing Authorization

CVE-2025-1055 is a local vulnerability in K7RKScan.sys, a kernel driver shipped with the K7 Security Anti-Malware suite. The driver’s IOCTL handler lacks proper access control, allowing a low-privileged local user to send crafted IOCTL requests that invoke privileged kernel functionality to terminate processes running with administrative or SYSTEM privileges. The issue is caused by missing authorization checks on sensitive driver operations, effectively exposing privileged process-management capabilities to unprivileged callers. Operating-system-protected processes may be exempt, but a broad range of privileged applications and services remain terminable through the vulnerable driver interface.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation enables a local unprivileged attacker to kill high-privilege processes, including security tooling and other critical services not protected by the OS. The primary impact is denial of service through disruption of privileged applications or system services. In intrusion scenarios, this can materially weaken host defenses by disabling security products, facilitating defense evasion and follow-on malicious activity, although the provided content does not establish arbitrary code execution from this flaw alone.

Mitigation

If you can’t patch tonight, do this now.

Restrict local unprivileged access to affected systems, since exploitation is local. Enable and maintain Microsoft vulnerable driver blocklists or equivalent kernel-driver deny lists, including WDAC/HVCI-based protections where available, to prevent loading known-abusable signed drivers. Monitor for suspicious access to the K7RKScan.sys device object and anomalous IOCTL activity, especially attempts to terminate security tools or privileged services. Detect and block BYOVD tradecraft, and limit the ability of users or attackers to install or load additional drivers.

Remediation

Patch, then assume compromise.

Apply the vendor-provided fix or update for the K7 Security Anti-Malware suite that corrects access control in K7RKScan.sys. If no patched version is currently available, remove or disable the vulnerable driver where operationally feasible, and ensure the product is updated to the latest release once a fix is published. Because this is a signed kernel driver abuse case, organizations should also review and enforce vulnerable-driver blocklisting controls where supported.

PUBLIC EXPLOITS

Exploits

2 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos.

VALID 2 / 2 TOTALView more in app

BYOVDMaturityPoCVerified exploit

This repository is a collection of operational Proof-of-Concept (PoC) exploits demonstrating the Bring Your Own Vulnerable Driver (BYOVD) technique to kill protected processes on Windows systems. Each subdirectory targets a specific vulnerable driver, with a Rust-based executable that loads the driver as a service, opens a device handle, and sends a crafted IOCTL to terminate a process by name or PID. The exploits require the vulnerable driver file to be present in the same directory as the executable and are designed for local execution with administrative privileges. The repository covers multiple drivers, including those from Baidu Antivirus (BdApiUtil64.sys, CVE-2024-51324), K7 Ultimate Security (K7RKScan.sys, CVE-2025-52915, CVE-2025-1055), ThreatFire System Monitor (sysmon.sys), Tg Soft (viragt64.sys), and Topaz Antifraud (wsftprm.sys, CVE-2023-52271). The main entry points are the Rust 'main.rs' files in each subdirectory. The exploits are not detection scripts but provide real process termination capability, which can be used to disable AV/EDR or other security software. The code is well-structured, modular, and leverages Windows service and device APIs to interact with the drivers. The attack vector is local, requiring administrative access to load the driver. The endpoints include the driver files and their respective device interfaces (e.g., \\.\BdApiUtil, \\.\ksapi64_dev, etc.). This collection is intended for research and educational purposes to demonstrate the risks of unprotected or vulnerable kernel drivers on Windows platforms.

BlackSnufkinDisclosed Dec 5, 2023rustlocal

CVE-2025-1055-pocMaturityPoCVerified exploit

This repository is a proof-of-concept (PoC) exploit for CVE-2025-1055 and CVE-2025-52915, targeting the K7RKScan.sys Windows kernel driver (version 1516). The exploit consists of a C program (exploit.c) and a README.md with usage instructions. The exploit works by opening a handle to the vulnerable driver (\\.\DosK7RKScnDrv) and repeatedly sending the PID of the Windows Defender process (MsMpEng.exe) via the 0x222018 IOCTL, causing the driver to terminate the process. The README provides instructions for installing the driver and running the exploit. The attack vector is local, requiring the attacker to have the ability to load the vulnerable driver and execute the exploit on the target system. The main fingerprintable endpoints are the device path for the driver, the path to the driver file, and the target process name.

diego-tellaDisclosed Sep 4, 2025clocal

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app

cyber security newsNews

Jun 16, 2026

Hackers Weaponize Microsoft Teams Relay to hide Malware Traffic

A specific vulnerable driver issue referenced as being abused in a BYOVD defense-evasion chain to disable security tools at the kernel level during the intrusion.

bleeping computerNews

Jun 16, 2026

Ransomware gang abuses Microsoft Teams relays to hide malicious traffic

A vulnerable driver flaw in K7 Security K7RKScan.sys leveraged in BYOVD tactics for kernel-level privilege and defense evasion.

sdsgNews

Mar 22, 2026

ESETの公開した90種類以上のEDR Killerを調査した記事を読んで思ったこと - Slapdash Safeguards

A CVE referenced as included in a BYOVD proof-of-concept collection for abusing vulnerable drivers against security products, but without further technical detail in the content.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence4

Every observed campaign linking this CVE to a named adversary.

Associated malware5

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity4

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-1055

NVD

nvd.nist.gov/vuln/detail/CVE-2025-1055

MITRE CWE · CWE-862

Missing Authorization

pentraze.com

pentraze.com/vulnerability-reports