Medium

Improper authorization in NSecsoft NSecKrnl driver allows arbitrary process termination

IdentifiersCVE-2025-68947CWE-862· Missing Authorization

CVE-2025-68947 affects NSecsoft's NSecKrnl, a signed Windows kernel-mode driver. The driver fails to verify whether the calling user has sufficient permissions before executing privileged functionality exposed through crafted IOCTL requests. As described in the provided content, this authorization flaw allows a local, authenticated attacker to use the driver to terminate processes owned by other users, including SYSTEM-owned and Protected Processes. In practice, the vulnerable driver exposes kernel-level process-kill capability to insufficiently privileged local users, making it suitable for bring-your-own-vulnerable-driver (BYOVD) abuse to disable security tooling.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a local authenticated attacker to terminate arbitrary processes across user and privilege boundaries, including security products, SYSTEM processes, and Protected Processes. The primary impact is denial of service against targeted processes and impairment of host defenses, especially EDR/AV agents. This can materially weaken endpoint protection and facilitate follow-on malicious activity such as ransomware execution, persistence, or post-exploitation without normal defensive interference.

Mitigation

If you can’t patch tonight, do this now.

Until remediation is available everywhere, block or deny-load the vulnerable driver using WDAC or equivalent application/driver control, enable Microsoft's Vulnerable Driver Blocklist, enable HVCI where feasible, restrict driver installation privileges to trusted administrators, and monitor for unexpected loading or service creation involving NSecKrnl.sys. Additional mitigation includes alerting on unusual access to the driver's device interface, suspicious IOCTL activity, and unexpected termination of security processes.

Remediation

Patch, then assume compromise.

Update to a vendor-fixed version of NSecKrnl if one is available. If no fixed version is available or the driver is not operationally required, remove and block NSecKrnl.sys from affected systems. Review systems for the presence of the driver and associated service entries, especially where the driver is not expected. Apply enterprise driver-control policy to prevent loading of known-vulnerable drivers, and ensure Microsoft vulnerable driver protections and equivalent vendor blocklists are enabled.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

NsecSoftNseckrnlapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

19 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

19 SOURCESView more in app

bank info securityNews

Feb 12, 2026

Breach Roundup: CISA Flags OT Risks After Polish Grid Hack

A known-vulnerable Windows kernel driver flaw abused via BYOVD to enable defense evasion (e.g., killing AV/EDR) as part of the Reynolds ransomware payload.

security affairsNews

Feb 11, 2026

Reynolds ransomware uses BYOVD to disable security before encryption

A critical local privilege/authorization flaw in the signed Windows kernel-mode NSecKrnl driver (NsecSoft) that allows a local authenticated attacker to send crafted IOCTLs to terminate arbitrary processes, including SYSTEM and Protected Processes—enabling BYOVD-based defense evasion (EDR/AV process killing) prior to ransomware encryption.

rescana blogNews

Feb 11, 2026

Reynolds Ransomware Exploits CVE-2025-68947 in NsecSoft NSecKrnl Driver to Disable Windows EDR Security Tools

A vulnerability in the signed NsecSoft NSecKrnl (NSecKrnl.sys) Windows kernel-mode driver that allows arbitrary process termination, enabling BYOVD-based defense evasion (EDR/AV killing) and facilitating ransomware execution.

medium onuroktayNews

Feb 11, 2026

⚡ Reynolds Ransomware EDR’lerden Nasıl Kaçıyor? Nasıl Tespit Ederiz? (Mantık+Kural+Kritik Noktalar) | by Onur OKTAY | Medium

A vulnerability in the legitimate NsecSoft NSecKrnl driver that is abused in a BYOVD ransomware attack to terminate or disable EDR/AV protection processes.

+9 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence8

Every observed campaign linking this CVE to a named adversary.

Associated malware12

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity6