Arbitrary PPL Process Termination in Topaz Antifraud wsftprm.sys
Topaz Antifraud wsftprm.sys kernel driver version 2.0.0.0 contains a local vulnerability that allows a low-privileged attacker to send a crafted IOCTL to the driver and terminate arbitrary Protected Process Light (PPL) processes. Because the vulnerable functionality is exposed from a signed kernel-mode driver and does not properly restrict which callers may invoke the process-kill capability, an unprivileged local user can abuse the driver as a Bring Your Own Vulnerable Driver (BYOVD) primitive to interfere with protected security processes.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.
Repository contains a small Windows C++ proof-of-concept exploit for CVE-2023-52271 targeting the Warsaw driver wsftprm.sys (noted in README as version 2.0.0.0). Structure is minimal: README.md (description/links) and main.cpp (the exploit). main.cpp implements a local, driver-based process-killing tool: it enumerates running processes via Toolhelp32 APIs, matches against a hardcoded list of Microsoft Defender/Windows security process names, and for each match opens the device \\.\Warsaw_PM and sends DeviceIoControl with IOCTL 0x22201C. The input buffer is 1036 bytes with the target PID placed in the first 4 bytes, which is intended to trigger the vulnerable driver behavior to terminate even PPL-protected processes. The program loops once per second until interrupted (CTRL+C), making it suitable for repeatedly killing respawning security services. No network communication is present; the key fingerprintable artifacts are the driver device path (\\.\Warsaw_PM), the IOCTL code (0x22201C), and the targeted process name list.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
15 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A specific vulnerable driver issue referenced as being abused in a BYOVD defense-evasion chain to disable security tools at the kernel level during the intrusion.
A vulnerable driver flaw in Topaz Antifraud wsftprm.sys that was abused as part of BYOVD tactics to gain kernel-level privileges and disable security tools.
A vulnerable driver flaw in Topaz Antifraud's wsftprm.sys that was used in a BYOVD chain by DragonForce operators to gain kernel-level privileges and disable security tools.
Previously disclosed local privilege escalation vulnerability associated with the wsftprm.sys driver; highlighted here in the context of driver abuse/EDR-killer tooling and blocklist gaps.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.