EUVD-2025-209526
GHSA-42p2-73mx-2pch
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionNVD
STProcessMonitor 11.11.4.0, part of the Safetica Application suite, allows an admin-privileged user to send crafted IOCTL requests to terminate processes that are protected through a third-party implementation. This is caused by insufficient caller validation in the driver's IOCTL handler, enabling unauthorized processes to perform those actions in kernel space. Successful exploitation can lead to denial of service by disrupting critical third-party services or applications. Unauthorized processes load the driver and send a crafted IOCTL request (0xB822200C) to terminate processes protected by a third-party implementation. This action exploits insufficient caller validation in the driver's IOCTL handler, allowing unauthorized processes to perform termination operations in kernel space. Successful exploitation can lead to denial of service by disrupting critical third-party services or applications.
AnalysisAI
STProcessMonitor 11.11.4.0 driver in Safetica Application suite allows local privileged users to send crafted IOCTL requests (0xB822200C) that terminate processes protected by third-party security implementations due to insufficient caller validation in the kernel-mode driver handler. This enables denial of service attacks against critical services without requiring user interaction. Publicly available exploit code exists, and the vulnerability is tracked in CISA's LOLDrivers database as a legitimate-but-abused Windows driver.
Technical ContextAI
STProcessMonitor is a kernel-mode device driver component of the Safetica Application suite that manages process monitoring and control on Windows systems. The vulnerability stems from CWE-269 (Improper Privilege Management) - specifically, the driver's IOCTL handler for control code 0xB822200C fails to properly validate the caller's authorization before executing privileged kernel operations. The driver accepts requests from user-mode applications with Local (L) privilege level to terminate arbitrary processes, including those protected by third-party endpoint security tools. This represents a classic example of a 'Living off the Land Driver' (LOLDriver) - a legitimately signed Windows driver with insufficient access controls that can be weaponized by lower-privileged users to bypass security mechanisms. The Safetica suite is deployed in enterprise environments as an information security and data loss prevention (DLP) solution, making this driver a high-value target for attackers seeking to disable competing protection mechanisms.
RemediationAI
Update Safetica Application suite to a patched version released after STProcessMonitor 11.11.4.0; consult vendor release notes to confirm IOCTL handler validation improvements. If immediate patching is unavailable, implement the following compensating controls with their trade-offs: (1) Restrict driver load permissions - use Windows Device Guard / HVCI (Hypervisor-protected Code Integrity) to prevent unsigned or non-approved drivers from loading; this may impact legacy application compatibility. (2) Block unsigned driver execution via AppLocker or Device Control policies targeting the STProcessMonitor.sys file; verify this does not break legitimate Safetica functionality. (3) Limit local admin/elevated privilege assignments to only those users and service accounts that require them; use Just-In-Time (JIT) privileged access management (PAM) to reduce standing privileges. (4) Monitor IOCTL code 0xB822200C via Event Tracing for Windows (ETW) or kernel debugging to detect attempted exploitation; requires Windows kernel debugging setup and log aggregation capability. References: GitHub LOLDrivers issue #268 (https://github.com/magicsword-io/LOLDrivers/issues/268) documents driver exploit vectors; NVD advisory (https://nvd.nist.gov/vuln/detail/CVE-2025-70795) provides official vulnerability timeline.
Share
External POC / Exploit Code
Leaving vuln.today