Skip to main content
Mallory
Back to vulnerabilities
LowPublic exploit

Local EDR/AV Process Termination via Hangzhou Shunwang Rentdrv2 IOCTL

IdentifiersCVE-2023-44976CWE-269

CVE-2023-44976 is a local vulnerability in the Hangzhou Shunwang Rentdrv2 kernel driver affecting versions before 2024-12-24. The driver exposes a DeviceIoControl interface reachable through IOCTL 0x22E010 that can be abused by a local user to terminate arbitrary security product processes, including EDR and antivirus components, by supplying a target PID. The issue is being used as a bring-your-own-vulnerable-driver (BYOVD) primitive: an attacker loads or otherwise gains access to the signed vulnerable driver and then invokes the exposed control path to kill protected processes from kernel context. Reporting in the provided content indicates exploitation in the wild in October 2023, including use by tooling such as BadRentdrv2 and RansomHub-associated EDRKillShifter.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an attacker with local code execution to disable or degrade endpoint protections by terminating EDR/AV processes that would normally resist user-mode tampering. This can materially reduce host visibility, prevent telemetry and response actions, and create a window for follow-on activity such as ransomware deployment, credential theft, persistence establishment, or other post-compromise actions. Because the vulnerable component is a kernel driver, the practical impact extends beyond simple process termination and may include additional unspecified security impact depending on what other privileged operations the driver exposes.

Mitigation

If you can’t patch tonight, do this now.

Restrict local administrator privileges and prevent untrusted users or malware from loading kernel drivers. Enable Microsoft’s vulnerable driver blocklist, HVCI/Memory Integrity, WDAC, and other kernel-mode code integrity controls where operationally feasible. Monitor for loading of Rentdrv2 and for DeviceIoControl activity targeting the driver, especially IOCTL 0x22E010, as well as for abrupt termination of security processes. Alert on known BYOVD tradecraft, including unsigned or unusual service creation for driver loading, and isolate hosts showing EDR/AV process termination consistent with kernel-assisted tampering.

Remediation

Patch, then assume compromise.

Update or remove vulnerable Hangzhou Shunwang Rentdrv2 driver versions prior to 2024-12-24. Prevent the driver from being loaded in enterprise environments unless explicitly required, and replace it with a fixed vendor version if available. Add the vulnerable driver to kernel-driver blocklists and application control policies, including Microsoft vulnerable driver block rules where applicable. Hunt for and remove copies of the driver from endpoints, especially on systems where the software is not operationally required. Review EDR tamper-protection and kernel driver trust policies to ensure they block known-vulnerable signed drivers.
PUBLIC EXPLOITS

Exploits

1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.

VALID 1 / 1 TOTALView more in app
BadRentdrv2MaturityPoCVerified exploit

This repository contains a proof-of-concept (PoC) exploit for a vulnerable Windows driver (rentdrv2.sys) that can be used to terminate protected processes, such as EDR and antivirus software, by exploiting the driver's functionality. The main code is in BadRentdrv2/BadRentdrv2/BadRentdrv2.cpp, which implements the following steps: (1) drops the vulnerable driver to disk, (2) installs and starts it as a Windows service, (3) opens a handle to the driver device (\\.\rentdrv2), and (4) sends a crafted IOCTL to terminate a process by PID. The exploit requires administrator privileges and is intended for local execution. The code also cleans up after execution by stopping and deleting the driver service and removing the driver file from disk. The README documents the exploit's use against several well-known security products and provides a timeline of disclosure. No specific CVE is referenced, but the vulnerability is acknowledged by Microsoft and has been addressed in their driver blocklist. The repository is structured as a Visual Studio C++ project with the main exploit logic in a single .cpp file, and the driver binaries embedded as headers.

keowuDisclosed Oct 1, 2023cpplocal
ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware1

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity5

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2023-44976
NVD
nvd.nist.gov/vuln/detail/CVE-2023-44976
MITRE CWE · CWE-269
cwe.mitre.org
github.com
github.com/keowu/BadRentdrv2
unit42.paloaltonetworks.com
unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors