Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
An issue in the component DirectIo64.sys of PassMark BurnInTest v11.0 Build 1011, OSForensics v11.1 Build 1007, and PerformanceTest v11.1 Build 1004 allows attackers to access kernel memory and escalate privileges via a crafted IOCTL 0x8011E044 call.
AnalysisAI
Kernel memory access and privilege escalation in PassMark DirectIo64.sys driver affect BurnInTest 11.0 Build 1011, OSForensics 11.1 Build 1007, and PerformanceTest 11.1 Build 1004. Local authenticated attackers can send crafted IOCTL 0x8011E044 calls to the vulnerable driver to read arbitrary kernel memory and elevate privileges to SYSTEM level. Public exploit code is available in the researcher's GitHub repository. EPSS data not available; no CISA KEV listing indicates no confirmed widespread exploitation, though POC availability lowers the barrier for local attacks.
Technical ContextAI
DirectIo64.sys is a signed kernel-mode driver shipped with PassMark diagnostic and forensics tools to enable low-level hardware access for performance testing and system analysis. The vulnerability stems from improper input validation (CWE-20) in the driver's IOCTL handler for control code 0x8011E044. Windows IOCTL (Input/Output Control) codes allow user-mode applications to communicate with kernel drivers through DeviceIoControl API calls. Without proper bounds checking and authorization enforcement, an attacker can craft IOCTL requests that read or manipulate kernel memory regions normally inaccessible to user-mode processes. Because the driver runs at Ring 0 with SYSTEM privileges, successful exploitation grants complete control over the operating system. This class of driver vulnerability is common in system utilities that require hardware access, where developers may prioritize functionality over secure IOCTL validation.
RemediationAI
Check PassMark vendor advisories and version history pages for patched releases addressing CVE-2025-52347. Update BurnInTest to builds newer than 11.0 Build 1011, OSForensics to builds newer than 11.1 Build 1007, and PerformanceTest to builds newer than 11.1 Build 1004 when available. Consult the vendor update pages at https://www.passmark.com/products/burnintest/history.php, https://www.passmark.com/products/performancetest/history.php, and https://www.osforensics.com/whats-new.html for the latest secure versions, though specific fix build numbers are not independently confirmed in available data. If immediate patching is not feasible, implement compensating controls: restrict installation of PassMark tools to dedicated testing systems isolated from production networks; enforce principle of least privilege by limiting which user accounts can access systems with these tools installed; monitor for abnormal IOCTL activity to DirectIo64.sys using EDR solutions; disable or unload the DirectIo64.sys driver when not actively needed (note: this will break tool functionality). Consider removing PassMark tools from multi-user systems or environments requiring strict privilege separation until vendor patches are confirmed.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209609