Medium

Improper authorization in GameDriverX64.sys IOCTL handler allows arbitrary process termination

IdentifiersCVE-2025-61155CWE-862

CVE-2025-61155 affects the GameDriverX64.sys kernel-mode gaming anti-cheat driver through version 7.23.4.7. The provided content states that one of the driver's IOCTL handlers fails to enforce proper authentication or access validation. As a result, a user-mode process can open a handle to the device and submit specially crafted IOCTL requests that are executed in kernel context. The exposed functionality allows termination of arbitrary processes from kernel mode, including security products and critical system services, even when the caller does not have administrative privileges. The flaw has been reported as abused in BYOVD operations, including Interlock ransomware's "Hotta Killer," which dropped a renamed copy of the vulnerable signed driver as UpdateCheckerX64.sys to disable EDR/AV tooling before encryption.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an unprivileged local attacker to invoke privileged kernel-mode functionality to terminate arbitrary processes. In practice, this enables reliable disabling of EDR, AV, and other security agents, as well as termination of critical services, which can materially reduce host defenses, facilitate follow-on malware execution, and potentially destabilize the operating system. The content specifically links exploitation to ransomware defense evasion prior to encryption activity.

Mitigation

If you can’t patch tonight, do this now.

Prevent untrusted or unnecessary kernel drivers from being loaded, especially gaming or anti-cheat drivers on enterprise systems. Enable Microsoft vulnerable driver blocklist protections and HVCI/Memory Integrity where operationally feasible. Monitor for unexpected driver loads, renamed copies of GameDriverX64.sys such as UpdateCheckerX64.sys, suspicious rundll32-assisted driver deployment, and attempts to open handles to the driver device followed by IOCTL activity. Restrict local code execution opportunities for unprivileged users and remove nonessential software that introduces signed kernel drivers.

Remediation

Patch, then assume compromise.

Update or replace GameDriverX64.sys with a fixed vendor version newer than 7.23.4.7 if one is available. Remove the vulnerable driver from systems where it is not strictly required. Because the driver is signed and has been abused in BYOVD scenarios, organizations should also ensure the vulnerable driver is added to applicable blocklists or revocation controls where supported by the platform and security stack.

PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 1 candidate as fakes, detection scripts, or README-only repos.

VALID 0 / 1 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

ACTIVITY FEED

Recent activity

12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

12 SOURCESView more in app

ahnlab asec blogNews

Apr 9, 2026

Q1 2026 Attack Technique Trends Report - ASEC

A zero-day vulnerability in a gaming anti-cheat driver that is exploited by Hotta Killer (Interlock) to attack or disable FortiEDR.

eclypsium blogNews

Feb 11, 2026

BTS #68 - Attacking Power Grids - Eclypsium | Supply Chain Security for the Modern Enterprise

A vulnerability in a signed gaming anti-cheat Windows kernel driver that attackers (including the Interlock ransomware operation, per the discussion) can abuse as a BYOVD-style technique to disable endpoint security controls (EDR/AV). The transcript highlights the practical challenge of revoking widely-deployed signed drivers without breaking legitimate software.

the hacker newsNews

Feb 10, 2026

Reynolds Ransomware Embeds BYOVD Driver to Disable EDR Security Tools

A zero-day vulnerability in the GameDriverx64.sys gaming anti-cheat driver used for BYOVD defense evasion to disable security tools.

cyber security newsNews

Feb 8, 2026

Cybersecurity Weekly Newsletter - Notepad++ hack, Office 0-Day, ESXi 0-day Ransomware Attacks and More

A zero-day vulnerability in a gaming anti-cheat driver leveraged to disable endpoint defenses (EDR/AV) as a precursor to ransomware encryption.

+4 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence3

Every observed campaign linking this CVE to a named adversary.

Associated malware10

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity4

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-61155

NVD

nvd.nist.gov/vuln/detail/CVE-2025-61155

MITRE CWE · CWE-862

cwe.mitre.org

github.com

github.com/pollotherunner/CVE-2025-61155/blob/main/advisory.md

hotta.com.tw