AI description
CVE-2023-52271 describes a vulnerability found in the `wsftprm.sys` kernel driver, version 2.0.0.0, within Topaz Antifraud software. This flaw permits attackers with low privileges to terminate any Protected Process Light (PPL) process. The vulnerability operates through an IOCTL (Input/Output Control) call, allowing a low-privileged user to make arbitrary calls to kernel functions that can kill processes on the system. This capability can be exploited to bypass anti-malware protections, such as those offered by Microsoft Defender.
- Description
- The wsftprm.sys kernel driver 2.0.0.0 in Topaz Antifraud allows low-privileged attackers to kill any (Protected Process Light) process via an IOCTL (which will be named at a later time).
- Source
- cve@mitre.org
- NVD status
- Modified
CVSS 3.1
- Type
- Primary
- Base score
- 6.5
- Impact score
- 4
- Exploitability score
- 2
- Vector string
- CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
- Severity
- MEDIUM
- Hype score
- Not currently trending
Can vulnerable drivers still kill your EDR in 2026? Spoiler: yes. 🧵 New Weekly Purple Team drops today — BYOVD using CVE-2023-52271 (wsftprm.sys), a signed driver STILL not on Microsoft's blocklist. 🔴 Attack: malicious IOCTL → ZwTerminateProcess at kernel level → ED
@BriPwn
19 Feb 2026
3765 Impressions
8 Retweets
44 Likes
20 Bookmarks
1 Reply
0 Quotes
BYOVD: Silencing AV/EDR with CVE-2023-52271 by me at @0x00secOfficial https://t.co/W3Ewvteiws
@vict0ni
16 Feb 2026
142 Impressions
0 Retweets
3 Likes
2 Bookmarks
0 Replies
0 Quotes
2025-11-09 の人気記事はコチラでした。(自動ツイート) #Hacker_Trends ――― The wsftprm.sys kernel driver 2.0.0.0 in Topaz Antifraud... · CVE-2023-52271 · GitHub Advisory Database · GitHub https://t.co/c51sYg23Me https://t.co/VmgHwVdLEW
@motikan2010
10 Nov 2025
132 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Observed threat actor abusing a vulnerable driver (wsftprm.sys, Topaz OFD – Brazilian antifraud vendor, #CVE-2023-52271) for defense evasion. Attack chain: cartel.exe → vulnerable driver → Lazarus.exe (final payload, extension ".cry"). First seen in Colombia. 1/3 https://
@johnk3r
29 Sept 2025
7324 Impressions
24 Retweets
82 Likes
29 Bookmarks
2 Replies
1 Quote
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:topazevolution:antifraud:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "1B242D1E-47B6-4F59-89A8-6D6706213FC0",
"versionEndIncluding": "2.0.0.0"
}
],
"operator": "OR"
}
]
}
]