Local EDR Process Termination via Hangzhou Shunwang Rentdrv2 IOCTL
CVE-2023-44976 is a local vulnerability in the Hangzhou Shunwang Rentdrv2 kernel driver (also referenced as RentDrv2 / BadRentdrv2) affecting versions before 2024-12-24. The driver exposes a DeviceIoControl interface reachable from user mode, including IOCTL 0x22E010, without adequate restriction. According to the provided content, this interface can be abused to issue commands from user mode that trigger kernel-mode operations against processes, including termination of protected security processes and bypass of protection mechanisms such as Protected Process. The vulnerability has been incorporated into BYOVD tooling such as GhostDriver and BadRentdrv2 to kill EDR/AV processes by PID on both x86 and x64 systems, and exploitation in the wild was reported in October 2023.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.
This repository contains a proof-of-concept (PoC) exploit for a vulnerable Windows driver (rentdrv2.sys) that can be used to terminate protected processes, such as EDR and antivirus software, by exploiting the driver's functionality. The main code is in BadRentdrv2/BadRentdrv2/BadRentdrv2.cpp, which implements the following steps: (1) drops the vulnerable driver to disk, (2) installs and starts it as a Windows service, (3) opens a handle to the driver device (\\.\rentdrv2), and (4) sends a crafted IOCTL to terminate a process by PID. The exploit requires administrator privileges and is intended for local execution. The code also cleans up after execution by stopping and deleting the driver service and removing the driver file from disk. The README documents the exploit's use against several well-known security products and provides a timeline of disclosure. No specific CVE is referenced, but the vulnerability is acknowledged by Microsoft and has been addressed in their driver blocklist. The repository is structured as a Visual Studio C++ project with the main exploit logic in a single .cpp file, and the driver binaries embedded as headers.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A vulnerability in the RentDrv2/BadRentdrv2 driver that allows user-mode commands via DeviceIoControl and kernel-level process operations, enabling termination of protected security processes.
A vulnerability in the rentdrv2 driver used for BYOVD attacks to terminate EDR/AV processes, with public PoC support and reported ransomware-related abuse.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.