Skip to main content

N A CVE-2025-70795

| EUVDEUVD-2025-209526 MEDIUM
Improper Privilege Management (CWE-269)
2026-04-17 mitre GHSA-42p2-73mx-2pch
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Apr 17, 2026 - 16:32 vuln.today
CVSS changed
Apr 17, 2026 - 15:22 NVD
5.5 (None) 5.5 (MEDIUM)
EUVD ID Assigned
Apr 17, 2026 - 14:15 euvd
EUVD-2025-209526
Analysis Generated
Apr 17, 2026 - 14:15 vuln.today
CVE Published
Apr 17, 2026 - 00:00 nvd
MEDIUM 5.5

DescriptionCVE.org

STProcessMonitor 11.11.4.0, part of the Safetica Application suite, allows an admin-privileged user to send crafted IOCTL requests to terminate processes that are protected through a third-party implementation. This is caused by insufficient caller validation in the driver's IOCTL handler, enabling unauthorized processes to perform those actions in kernel space. Successful exploitation can lead to denial of service by disrupting critical third-party services or applications. Unauthorized processes load the driver and send a crafted IOCTL request (0xB822200C) to terminate processes protected by a third-party implementation. This action exploits insufficient caller validation in the driver's IOCTL handler, allowing unauthorized processes to perform termination operations in kernel space. Successful exploitation can lead to denial of service by disrupting critical third-party services or applications.

AnalysisAI

STProcessMonitor 11.11.4.0 driver in Safetica Application suite allows local privileged users to send crafted IOCTL requests (0xB822200C) that terminate processes protected by third-party security implementations due to insufficient caller validation in the kernel-mode driver handler. This enables denial of service attacks against critical services without requiring user interaction. Publicly available exploit code exists, and the vulnerability is tracked in CISA's LOLDrivers database as a legitimate-but-abused Windows driver.

Technical ContextAI

STProcessMonitor is a kernel-mode device driver component of the Safetica Application suite that manages process monitoring and control on Windows systems. The vulnerability stems from CWE-269 (Improper Privilege Management) - specifically, the driver's IOCTL handler for control code 0xB822200C fails to properly validate the caller's authorization before executing privileged kernel operations. The driver accepts requests from user-mode applications with Local (L) privilege level to terminate arbitrary processes, including those protected by third-party endpoint security tools. This represents a classic example of a 'Living off the Land Driver' (LOLDriver) - a legitimately signed Windows driver with insufficient access controls that can be weaponized by lower-privileged users to bypass security mechanisms. The Safetica suite is deployed in enterprise environments as an information security and data loss prevention (DLP) solution, making this driver a high-value target for attackers seeking to disable competing protection mechanisms.

RemediationAI

Update Safetica Application suite to a patched version released after STProcessMonitor 11.11.4.0; consult vendor release notes to confirm IOCTL handler validation improvements. If immediate patching is unavailable, implement the following compensating controls with their trade-offs: (1) Restrict driver load permissions - use Windows Device Guard / HVCI (Hypervisor-protected Code Integrity) to prevent unsigned or non-approved drivers from loading; this may impact legacy application compatibility. (2) Block unsigned driver execution via AppLocker or Device Control policies targeting the STProcessMonitor.sys file; verify this does not break legitimate Safetica functionality. (3) Limit local admin/elevated privilege assignments to only those users and service accounts that require them; use Just-In-Time (JIT) privileged access management (PAM) to reduce standing privileges. (4) Monitor IOCTL code 0xB822200C via Event Tracing for Windows (ETW) or kernel debugging to detect attempted exploitation; requires Windows kernel debugging setup and log aggregation capability. References: GitHub LOLDrivers issue #268 (https://github.com/magicsword-io/LOLDrivers/issues/268) documents driver exploit vectors; NVD advisory (https://nvd.nist.gov/vuln/detail/CVE-2025-70795) provides official vulnerability timeline.

More in N A

View all
CVE-2026-31072 CRITICAL POC
9.8 May 19

Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali

CVE-2026-36356 CRITICAL POC
9.1 May 05

Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST

CVE-2026-31071 CRITICAL POC
9.1 May 19

Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al

CVE-2025-66391 HIGH POC
8.8 Jun 17

In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o

CVE-2026-26740 HIGH POC
8.2 Mar 18

Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when

CVE-2025-60464 HIGH POC
7.8 Jun 25

Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_

CVE-2026-36355 HIGH POC
7.7 May 05

Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc

CVE-2025-60474 HIGH POC
7.5 Jun 24

Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s

CVE-2026-38639 HIGH POC
7.5 Jun 26

An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S

CVE-2026-38641 HIGH POC
7.5 Jun 26

Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge

CVE-2026-38637 HIGH POC
7.5 Jun 25

An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S

CVE-2026-38640 HIGH POC
7.5 Jun 25

Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce

Share

CVE-2025-70795 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy