Medium

Arbitrary Process Termination in NSecsoft NSecKrnl Windows Driver

IdentifiersCVE-2025-68947CWE-862· Missing Authorization

CVE-2025-68947 affects the NSecsoft NSecKrnl Windows kernel-mode driver. The driver fails to verify sufficient permissions before executing privileged commands exposed through crafted IOCTL requests. As a result, a local authenticated attacker can use the driver interface to terminate processes owned by other users, including SYSTEM-owned and Protected Processes. Public reporting describes the flaw as an authorization weakness in the driver's IOCTL handling that exposes kernel-level process termination capability to insufficiently privileged local users. The vulnerability has been observed in BYOVD tradecraft, where attackers load the signed vulnerable driver and then abuse it to kill EDR, AV, and other security processes prior to post-exploitation or ransomware execution.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a local authenticated attacker to terminate arbitrary processes across user and privilege boundaries, including security products and critical system services. In practice, this can be used to disable or impair antivirus, EDR, and other defensive tooling, reduce detection and response capability, and cause denial of service against protected or high-privilege processes. Reporting on ransomware campaigns shows the flaw being used to terminate products from multiple major security vendors before file encryption, materially increasing attacker freedom of action on the host.

Mitigation

If you can’t patch tonight, do this now.

If a fixed version is unavailable, reduce exposure by uninstalling or blocking NSecKrnl wherever possible, restricting local logon and administrative access to trusted users, and preventing unapproved driver installation/loading through WDAC or equivalent allowlisting controls. Monitor for driver load events, creation of services associated with NSecKrnl, access to the driver's device interface, and bursts of security-process termination activity. Enable and maintain Microsoft's vulnerable driver blocklist and equivalent EDR protections, and hunt for BYOVD-related artifacts such as dropped driver files and suspicious service creation.

Remediation

Patch, then assume compromise.

Update or replace the NSecsoft NSecKrnl driver with a vendor-fixed version if one is available. If the driver is not operationally required, remove it entirely from affected systems and prevent it from being reintroduced. Review systems for the presence of NSecKrnl.sys and associated services, especially unauthorized service creation used to load the driver. Apply enterprise driver control policies to block known vulnerable drivers and ensure Microsoft and vendor vulnerable-driver blocklists are enabled and current.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

NsecSoftNseckrnlapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

18 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

18 SOURCESView more in app

bank info securityNews

Feb 12, 2026

Breach Roundup: CISA Flags OT Risks After Polish Grid Hack

A known-vulnerable Windows kernel driver flaw abused via BYOVD to enable defense evasion (e.g., killing AV/EDR) as part of the Reynolds ransomware payload.

security affairsNews

Feb 11, 2026

Reynolds ransomware uses BYOVD to disable security before encryption

A critical local privilege/authorization flaw in the signed Windows kernel-mode NSecKrnl driver (NsecSoft) that allows a local authenticated attacker to send crafted IOCTLs to terminate arbitrary processes, including SYSTEM and Protected Processes—enabling BYOVD-based defense evasion (EDR/AV process killing) prior to ransomware encryption.

rescana blogNews

Feb 11, 2026

Reynolds Ransomware Exploits CVE-2025-68947 in NsecSoft NSecKrnl Driver to Disable Windows EDR Security Tools

A vulnerability in the signed NsecSoft NSecKrnl (NSecKrnl.sys) Windows kernel-mode driver that allows arbitrary process termination, enabling BYOVD-based defense evasion (EDR/AV killing) and facilitating ransomware execution.

the hacker newsNews

Feb 10, 2026

Reynolds Ransomware Embeds BYOVD Driver to Disable EDR Security Tools

A vulnerability in the NsecSoft NSecKrnl Windows kernel driver that can be exploited to terminate arbitrary processes, enabling BYOVD-style defense evasion (e.g., killing EDR/AV processes).

+8 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence8

Every observed campaign linking this CVE to a named adversary.

Associated malware11

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity6