Skip to main content

PassMark DirectIo64.sys CVE-2025-52347

| EUVDEUVD-2025-209609 HIGH
Improper Input Validation (CWE-20)
2026-05-01 mitre
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 01, 2026 - 19:30 vuln.today
CVSS changed
May 01, 2026 - 19:22 NVD
7.8 (HIGH)
EUVD ID Assigned
May 01, 2026 - 19:00 euvd
EUVD-2025-209609
Analysis Generated
May 01, 2026 - 19:00 vuln.today
CVE Published
May 01, 2026 - 00:00 nvd
HIGH 7.8

DescriptionCVE.org

An issue in the component DirectIo64.sys of PassMark BurnInTest v11.0 Build 1011, OSForensics v11.1 Build 1007, and PerformanceTest v11.1 Build 1004 allows attackers to access kernel memory and escalate privileges via a crafted IOCTL 0x8011E044 call.

AnalysisAI

Kernel memory access and privilege escalation in PassMark DirectIo64.sys driver affect BurnInTest 11.0 Build 1011, OSForensics 11.1 Build 1007, and PerformanceTest 11.1 Build 1004. Local authenticated attackers can send crafted IOCTL 0x8011E044 calls to the vulnerable driver to read arbitrary kernel memory and elevate privileges to SYSTEM level. Public exploit code is available in the researcher's GitHub repository. EPSS data not available; no CISA KEV listing indicates no confirmed widespread exploitation, though POC availability lowers the barrier for local attacks.

Technical ContextAI

DirectIo64.sys is a signed kernel-mode driver shipped with PassMark diagnostic and forensics tools to enable low-level hardware access for performance testing and system analysis. The vulnerability stems from improper input validation (CWE-20) in the driver's IOCTL handler for control code 0x8011E044. Windows IOCTL (Input/Output Control) codes allow user-mode applications to communicate with kernel drivers through DeviceIoControl API calls. Without proper bounds checking and authorization enforcement, an attacker can craft IOCTL requests that read or manipulate kernel memory regions normally inaccessible to user-mode processes. Because the driver runs at Ring 0 with SYSTEM privileges, successful exploitation grants complete control over the operating system. This class of driver vulnerability is common in system utilities that require hardware access, where developers may prioritize functionality over secure IOCTL validation.

RemediationAI

Check PassMark vendor advisories and version history pages for patched releases addressing CVE-2025-52347. Update BurnInTest to builds newer than 11.0 Build 1011, OSForensics to builds newer than 11.1 Build 1007, and PerformanceTest to builds newer than 11.1 Build 1004 when available. Consult the vendor update pages at https://www.passmark.com/products/burnintest/history.php, https://www.passmark.com/products/performancetest/history.php, and https://www.osforensics.com/whats-new.html for the latest secure versions, though specific fix build numbers are not independently confirmed in available data. If immediate patching is not feasible, implement compensating controls: restrict installation of PassMark tools to dedicated testing systems isolated from production networks; enforce principle of least privilege by limiting which user accounts can access systems with these tools installed; monitor for abnormal IOCTL activity to DirectIo64.sys using EDR solutions; disable or unload the DirectIo64.sys driver when not actively needed (note: this will break tool functionality). Consider removing PassMark tools from multi-user systems or environments requiring strict privilege separation until vendor patches are confirmed.

Share

CVE-2025-52347 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy