Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local-only attack via a kernel driver IOCTL (AV:L), reliable once exploit is known (AC:L), requires an existing low-priv local user (PR:L), no user interaction, and yields SYSTEM giving full C/I/A impact.
Primary rating from Vendor (VulDB).
CVSS VectorVendor: VulDB
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A vulnerability has been found in Ezbsystems UltraISO Premium Edition up to 9.76. Affected by this issue is some unknown functionality in the library bootpt64.sys of the component Kernel Driver. The manipulation leads to improper access controls. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Local privilege escalation in EZB Systems UltraISO Premium Edition up to 9.76 stems from improper access controls in the bundled bootpt64.sys kernel driver, allowing an authenticated local user to abuse the driver and achieve high-integrity kernel-level impact on confidentiality, integrity, and availability. Publicly available exploit code exists, and the vendor was contacted but did not respond, leaving all currently shipped versions unpatched.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) UltraISO Premium Edition 9.0-9.76 installed on a 64-bit Windows host with the bootpt64.sys driver loaded or loadable, (2) the attacker already holding interactive or remote code execution as a low-privileged local user on that host (CVSS AV:L, PR:L - no remote network reachability of the driver and no anonymous access), and (3) the ability to open a handle to the driver's device object and issue IOCTLs. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Risk is moderate-to-high for endpoints where UltraISO is installed but not broadly internet-facing. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A standard, low-privileged user on a Windows endpoint - for example, an attacker who landed via a phishing payload or a malicious insider - runs the publicly available exploit which opens a handle to the bootpt64.sys device and issues a crafted IOCTL that the driver processes without enforcing caller privilege. The driver's kernel-mode primitive is abused to overwrite the calling process token (or perform arbitrary kernel write), giving the attacker NT AUTHORITY\SYSTEM and full control of the host, from which they can disable EDR, dump LSASS, and pivot. |
| Remediation | No vendor-released patch identified at time of analysis - EZB Systems was contacted prior to disclosure and did not respond. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit and inventory all systems running UltraISO Premium Edition versions 9.76 and earlier; identify which authenticated local users have access. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38150
GHSA-hr5r-cgx8-r3qw