Skip to main content

Prevx CVE-2025-60349

HIGH
Uncontrolled Resource Consumption (CWE-400)
2025-10-28 cve@mitre.org
7.5
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

IOCTL to a local device driver requires local code execution (AV:L) and a device handle typically obtainable by a low-privileged user (PR:L); impact is availability-only via process termination.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 05, 2026 - 03:10 vuln.today

DescriptionCVE.org

An issue was discovered in Prevx v3.0.5.220 allowing attackers to cause a denial of service via sending IOCTL code 0x22E044 to the pxscan.sys driver. Any processes listed under registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\pxscan\Files will be terminated.

AnalysisAI

Denial of service in Prevx 3.0.5.220 lets a local attacker terminate protected processes by sending IOCTL code 0x22E044 to the pxscan.sys kernel driver, which force-kills every process enumerated under the HKLM\System\CurrentControlSet\Services\pxscan\Files registry key. A GitHub repository named for the CVE indicates publicly available exploit code exists, though the vulnerability is not in CISA KEV and carries a low EPSS score of 0.34% (26th percentile). Prevx is a long-retired anti-malware product (absorbed into Webroot circa 2011), so real-world exposure is minimal.

Technical ContextAI

The flaw resides in pxscan.sys, the kernel-mode scanning driver of the legacy Prevx endpoint security suite. The driver exposes a device object accepting DeviceIoControl requests; the specific control code 0x22E044 triggers termination of every process the driver has registered as protected/monitored via the pxscan\Files registry list. The root cause maps to CWE-400 (Uncontrolled Resource Consumption): a privileged operation (mass process termination) is reachable through an insufficiently guarded IOCTL handler, allowing an unauthorized caller to exhaust/destroy running services. Because the primitive lives in a signed kernel driver, the abuse executes with kernel privilege regardless of the caller's intent.

Affected ProductsAI

Prevx version 3.0.5.220 is the only version cited, specifically its pxscan.sys kernel driver component. No CPE string was supplied in the intelligence, so exact version ranges beyond 3.0.5.220 are unconfirmed. Prevx was an anti-malware product acquired by Webroot around 2010-2011 and is effectively end-of-life; no current vendor advisory URL was provided, and the sole reference is a GitHub repository (https://github.com/djackreuter/CVE-2025-60349) rather than a vendor page.

RemediationAI

No vendor-released patch identified at time of analysis, consistent with Prevx being a retired product with no active maintenance. The primary recommendation is to remove/uninstall Prevx 3.0.5.220 entirely and migrate to a supported endpoint protection product, since a modern replacement eliminates both this bug and the broader risk of running unmaintained kernel drivers. If removal is not immediately possible, apply compensating controls: harden the pxscan device object's ACL to deny non-administrator handle access if configurable, restrict local logon and remove standard-user local access on hosts running the driver (trade-off: reduces exposure but does not fix the IOCTL handler), and monitor for unexpected termination of the pxscan-protected processes as a detection signal. Review the referenced GitHub repo (https://github.com/djackreuter/CVE-2025-60349) to understand the exact IOCTL primitive before deploying detections.

Share

CVE-2025-60349 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy