Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local-only kernel driver IOCTL abuse from any standard user account (AV:L, PR:L, AC:L, UI:N) yields full SYSTEM compromise, giving high C/I/A within an unchanged scope.
Primary rating from Vendor (VulDB).
CVSS VectorVendor: VulDB
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A vulnerability was found in AOMEI Dynamic Disk Manager up to 10.10.1. This issue affects some unknown processing in the library ddmdrv.sys of the component Kernel Driver. Performing a manipulation results in improper access controls. The attack must be initiated from a local position. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Local privilege escalation in AOMEI Dynamic Disk Manager up to version 10.10.1 stems from improper access controls in the ddmdrv.sys kernel driver, allowing a low-privileged local user to interact with privileged driver IOCTLs and gain SYSTEM-level control. Publicly available exploit code exists, and the vendor did not respond to coordinated disclosure, leaving installations unpatched. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Attacker must already have local code execution as a low-privileged user (PR:L) on a Windows host where the AOMEI ddmdrv.sys kernel driver is loaded - either because AOMEI Dynamic Disk Manager 10.10.0 or 10.10.1 is installed, or because the attacker has dropped and loaded the signed driver themselves (BYOVD). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:L/UI:N) and base score of 7.1 accurately reflect a local, low-complexity, low-privilege attack delivering high confidentiality, integrity, and availability impact - i.e., full SYSTEM compromise from any interactive user account. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained low-privilege code execution on a Windows host - for example via a phishing payload running as a standard user - opens a handle to the ddmdrv.sys device object and issues the IOCTL sequence demonstrated in the public PoC on winslow1984.com to perform privileged operations from kernel context. The result is escalation to NT AUTHORITY\SYSTEM, after which the attacker disables defenses, harvests credentials, and moves laterally. … |
| Remediation | No vendor-released patch identified at time of analysis - the vendor was contacted but did not respond, so no upgrade target exists. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems running AOMEI Dynamic Disk Manager versions up to 10.10.1 and assess operational dependency. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38144
GHSA-xmv6-8rvm-ww7w