Prevx CVE-2025-60349
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
IOCTL to a local device driver requires local code execution (AV:L) and a device handle typically obtainable by a low-privileged user (PR:L); impact is availability-only via process termination.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
An issue was discovered in Prevx v3.0.5.220 allowing attackers to cause a denial of service via sending IOCTL code 0x22E044 to the pxscan.sys driver. Any processes listed under registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\pxscan\Files will be terminated.
AnalysisAI
Denial of service in Prevx 3.0.5.220 lets a local attacker terminate protected processes by sending IOCTL code 0x22E044 to the pxscan.sys kernel driver, which force-kills every process enumerated under the HKLM\System\CurrentControlSet\Services\pxscan\Files registry key. A GitHub repository named for the CVE indicates publicly available exploit code exists, though the vulnerability is not in CISA KEV and carries a low EPSS score of 0.34% (26th percentile). Prevx is a long-retired anti-malware product (absorbed into Webroot circa 2011), so real-world exposure is minimal.
Technical ContextAI
The flaw resides in pxscan.sys, the kernel-mode scanning driver of the legacy Prevx endpoint security suite. The driver exposes a device object accepting DeviceIoControl requests; the specific control code 0x22E044 triggers termination of every process the driver has registered as protected/monitored via the pxscan\Files registry list. The root cause maps to CWE-400 (Uncontrolled Resource Consumption): a privileged operation (mass process termination) is reachable through an insufficiently guarded IOCTL handler, allowing an unauthorized caller to exhaust/destroy running services. Because the primitive lives in a signed kernel driver, the abuse executes with kernel privilege regardless of the caller's intent.
Affected ProductsAI
Prevx version 3.0.5.220 is the only version cited, specifically its pxscan.sys kernel driver component. No CPE string was supplied in the intelligence, so exact version ranges beyond 3.0.5.220 are unconfirmed. Prevx was an anti-malware product acquired by Webroot around 2010-2011 and is effectively end-of-life; no current vendor advisory URL was provided, and the sole reference is a GitHub repository (https://github.com/djackreuter/CVE-2025-60349) rather than a vendor page.
RemediationAI
No vendor-released patch identified at time of analysis, consistent with Prevx being a retired product with no active maintenance. The primary recommendation is to remove/uninstall Prevx 3.0.5.220 entirely and migrate to a supported endpoint protection product, since a modern replacement eliminates both this bug and the broader risk of running unmaintained kernel drivers. If removal is not immediately possible, apply compensating controls: harden the pxscan device object's ACL to deny non-administrator handle access if configurable, restrict local logon and remove standard-user local access on hosts running the driver (trade-off: reduces exposure but does not fix the IOCTL handler), and monitor for unexpected termination of the pxscan-protected processes as a detection signal. Review the referenced GitHub repo (https://github.com/djackreuter/CVE-2025-60349) to understand the exact IOCTL primitive before deploying detections.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today