MediumPublic exploit

Improper Authorization in K7 Security K7RKScan.sys IOCTL Handler

IdentifiersCVE-2025-1055CWE-862· Missing Authorization

CVE-2025-1055 is a local denial-of-service vulnerability in K7RKScan.sys, a driver shipped with the K7 Security Anti-Malware suite. According to the provided content, the driver’s IOCTL handler lacks proper access control, allowing a low-privileged local user to send crafted IOCTL requests that invoke privileged kernel-mediated actions. Specifically, an unprivileged user can abuse this missing authorization check to terminate a broad range of processes running with administrative or SYSTEM privileges, except for processes protected by built-in operating system protections. The flaw is therefore an authorization failure in a kernel driver interface exposed to user mode.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a local unprivileged attacker to terminate privileged processes, including administrative and SYSTEM-level applications and services that are not protected by the operating system. The primary impact described in the provided content is denial of service through disruption of critical services, security tooling, or other privileged applications. In operational use, this can facilitate defense evasion by killing security products and destabilizing the host.

Mitigation

If you can’t patch tonight, do this now.

If patching is not immediately possible, mitigate by preventing untrusted users from obtaining local code execution on affected systems, restricting installation/loading of vulnerable drivers, and using kernel driver blocklisting or application control policies where supported to prevent abuse of K7RKScan.sys in BYOVD scenarios. Monitoring for suspicious access to the driver device object and anomalous process termination activity may also reduce exposure. The provided content does not include official vendor mitigation guidance.

Remediation

Patch, then assume compromise.

The provided content does not include a vendor remediation or fixed version. Based on the available information, remediation would require applying a vendor-supplied update to the K7 Security Anti-Malware suite or specifically to the K7RKScan.sys driver once available, replacing the vulnerable driver with a corrected version that enforces proper authorization on sensitive IOCTL operations. If no patch information is currently available, the information is currently not available.

PUBLIC EXPLOITS

Exploits

2 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos.

VALID 2 / 2 TOTALView more in app

BYOVDMaturityPoCVerified exploit

This repository is a collection of operational Proof-of-Concept (PoC) exploits demonstrating the Bring Your Own Vulnerable Driver (BYOVD) technique to kill protected processes on Windows systems. Each subdirectory targets a specific vulnerable driver, with a Rust-based executable that loads the driver as a service, opens a device handle, and sends a crafted IOCTL to terminate a process by name or PID. The exploits require the vulnerable driver file to be present in the same directory as the executable and are designed for local execution with administrative privileges. The repository covers multiple drivers, including those from Baidu Antivirus (BdApiUtil64.sys, CVE-2024-51324), K7 Ultimate Security (K7RKScan.sys, CVE-2025-52915, CVE-2025-1055), ThreatFire System Monitor (sysmon.sys), Tg Soft (viragt64.sys), and Topaz Antifraud (wsftprm.sys, CVE-2023-52271). The main entry points are the Rust 'main.rs' files in each subdirectory. The exploits are not detection scripts but provide real process termination capability, which can be used to disable AV/EDR or other security software. The code is well-structured, modular, and leverages Windows service and device APIs to interact with the drivers. The attack vector is local, requiring administrative access to load the driver. The endpoints include the driver files and their respective device interfaces (e.g., \\.\BdApiUtil, \\.\ksapi64_dev, etc.). This collection is intended for research and educational purposes to demonstrate the risks of unprotected or vulnerable kernel drivers on Windows platforms.

BlackSnufkinDisclosed Dec 5, 2023rustlocal

CVE-2025-1055-pocMaturityPoCVerified exploit

This repository is a proof-of-concept (PoC) exploit for CVE-2025-1055 and CVE-2025-52915, targeting the K7RKScan.sys Windows kernel driver (version 1516). The exploit consists of a C program (exploit.c) and a README.md with usage instructions. The exploit works by opening a handle to the vulnerable driver (\\.\DosK7RKScnDrv) and repeatedly sending the PID of the Windows Defender process (MsMpEng.exe) via the 0x222018 IOCTL, causing the driver to terminate the process. The README provides instructions for installing the driver and running the exploit. The attack vector is local, requiring the attacker to have the ability to load the vulnerable driver and execute the exploit on the target system. The main fingerprintable endpoints are the device path for the driver, the path to the driver file, and the target process name.

diego-tellaDisclosed Sep 4, 2025clocal

ACTIVITY FEED

Recent activity

10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

10 SOURCESView more in app

the hacker newsNews

Jun 18, 2026

DragonForce Hackers Abuse Microsoft Teams Relays to Hide Backdoor.Turn C2 Traffic

A specific vulnerable driver named in the article as being used in BYOVD-based defense evasion activity.

hackreadNews

Jun 18, 2026

DragonForce Ransomware Abused Microsoft Teams to Hide Malware Activity

A documented driver vulnerability in K7 Security Anti-Malware that DragonForce attackers abused via BYOVD techniques to disable security tooling during a ransomware intrusion.

cyber security newsNews

Jun 16, 2026

Hackers Weaponize Microsoft Teams Relay to hide Malware Traffic

A specific vulnerable driver issue referenced as being abused in a BYOVD defense-evasion chain to disable security tools at the kernel level during the intrusion.

bleeping computerNews

Jun 16, 2026

Ransomware gang abuses Microsoft Teams relays to hide malicious traffic

A vulnerable driver flaw in K7 Security K7RKScan.sys leveraged in BYOVD tactics for kernel-level privilege and defense evasion.

+2 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence6

Every observed campaign linking this CVE to a named adversary.

Associated malware10

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity4

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-1055

NVD

nvd.nist.gov/vuln/detail/CVE-2025-1055

MITRE CWE · CWE-862

Missing Authorization

pentraze.com

pentraze.com/vulnerability-reports