MediumPublic exploit

Arbitrary Process Termination in K7 Security K7RKScan.sys

IdentifiersCVE-2025-1055CWE-862· Missing Authorization

CVE-2025-1055 is a local vulnerability in K7RKScan.sys, a kernel driver shipped with the K7 Security Anti-Malware suite. The driver's IOCTL handler lacks proper access control, allowing a low-privilege local user to send crafted IOCTL requests that invoke privileged kernel functionality to terminate processes running with administrative or SYSTEM privileges. The issue is effectively an authorization failure in a kernel-mode device interface: unprivileged callers can request process-kill operations that should be restricted to trusted or elevated contexts. The vulnerability does not appear to bypass operating-system-enforced protections for inherently protected processes, but it still enables termination of a broad range of privileged applications and services.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation enables denial of service against privileged userland processes and services, including security tooling and other administrative applications. In practice, this can disrupt host defenses, impair monitoring, and destabilize business-critical or security-critical services. The provided context specifically notes abuse in BYOVD tradecraft to terminate security tools on compromised hosts, which can materially assist post-compromise defense evasion and follow-on malicious activity.

Mitigation

If you can’t patch tonight, do this now.

Until patching is completed, prevent or restrict loading of the vulnerable K7RKScan.sys driver where operationally feasible. Enforce Microsoft vulnerable driver blocklists, WDAC/HVCI/Memory Integrity, and application control policies to block known-abusable signed drivers. Monitor for suspicious access to the driver's device object, anomalous IOCTL activity, unexpected privileged process termination, and BYOVD-related telemetry. Restrict local code execution opportunities for unprivileged users, since exploitation is local.

Remediation

Patch, then assume compromise.

Apply the vendor-provided fix or update for the K7 Security Anti-Malware suite that corrects access control in K7RKScan.sys. If a patched driver or product update is available, replace the vulnerable driver and ensure the old version is removed from systems. Where applicable, update endpoint protection policies and kernel-driver blocklists to prevent loading of known-vulnerable signed drivers such as K7RKScan.sys.

PUBLIC EXPLOITS

Exploits

2 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos.

VALID 2 / 2 TOTALView more in app

BYOVDMaturityPoCVerified exploit

This repository is a collection of operational Proof-of-Concept (PoC) exploits demonstrating the Bring Your Own Vulnerable Driver (BYOVD) technique to kill protected processes on Windows systems. Each subdirectory targets a specific vulnerable driver, with a Rust-based executable that loads the driver as a service, opens a device handle, and sends a crafted IOCTL to terminate a process by name or PID. The exploits require the vulnerable driver file to be present in the same directory as the executable and are designed for local execution with administrative privileges. The repository covers multiple drivers, including those from Baidu Antivirus (BdApiUtil64.sys, CVE-2024-51324), K7 Ultimate Security (K7RKScan.sys, CVE-2025-52915, CVE-2025-1055), ThreatFire System Monitor (sysmon.sys), Tg Soft (viragt64.sys), and Topaz Antifraud (wsftprm.sys, CVE-2023-52271). The main entry points are the Rust 'main.rs' files in each subdirectory. The exploits are not detection scripts but provide real process termination capability, which can be used to disable AV/EDR or other security software. The code is well-structured, modular, and leverages Windows service and device APIs to interact with the drivers. The attack vector is local, requiring administrative access to load the driver. The endpoints include the driver files and their respective device interfaces (e.g., \\.\BdApiUtil, \\.\ksapi64_dev, etc.). This collection is intended for research and educational purposes to demonstrate the risks of unprotected or vulnerable kernel drivers on Windows platforms.

BlackSnufkinDisclosed Dec 5, 2023rustlocal

CVE-2025-1055-pocMaturityPoCVerified exploit

This repository is a proof-of-concept (PoC) exploit for CVE-2025-1055 and CVE-2025-52915, targeting the K7RKScan.sys Windows kernel driver (version 1516). The exploit consists of a C program (exploit.c) and a README.md with usage instructions. The exploit works by opening a handle to the vulnerable driver (\\.\DosK7RKScnDrv) and repeatedly sending the PID of the Windows Defender process (MsMpEng.exe) via the 0x222018 IOCTL, causing the driver to terminate the process. The README provides instructions for installing the driver and running the exploit. The attack vector is local, requiring the attacker to have the ability to load the vulnerable driver and execute the exploit on the target system. The main fingerprintable endpoints are the device path for the driver, the path to the driver file, and the target process name.

diego-tellaDisclosed Sep 4, 2025clocal

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app

cyber security newsNews

Jun 16, 2026

Hackers Weaponize Microsoft Teams Relay to hide Malware Traffic

A specific vulnerable driver issue referenced as being abused in a BYOVD defense-evasion chain to disable security tools at the kernel level during the intrusion.

bleeping computerNews

Jun 16, 2026

Ransomware gang abuses Microsoft Teams relays to hide malicious traffic

A vulnerable driver flaw in K7 Security K7RKScan.sys leveraged in BYOVD tactics for kernel-level privilege and defense evasion.

help net securityNews

Jun 16, 2026

Cybercriminals mask malicious communications through Microsoft Teams relays - Help Net Security

A vulnerable driver flaw in K7 Security's K7RKScan.sys that was used in a BYOVD chain by DragonForce operators to disable security tools and evade detection.

sdsgNews

Mar 22, 2026

ESETの公開した90種類以上のEDR Killerを調査した記事を読んで思ったこと - Slapdash Safeguards

A CVE referenced as included in a BYOVD proof-of-concept collection for abusing vulnerable drivers against security products, but without further technical detail in the content.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence5

Every observed campaign linking this CVE to a named adversary.

Associated malware8

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity4

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-1055

NVD

nvd.nist.gov/vuln/detail/CVE-2025-1055

MITRE CWE · CWE-862

Missing Authorization

pentraze.com

pentraze.com/vulnerability-reports