- Description
- The wsftprm.sys kernel driver 2.0.0.0 in Topaz Antifraud allows low-privileged attackers to kill any (Protected Process Light) process via an IOCTL (which will be named at a later time).
- Source
- cve@mitre.org
- NVD status
- Modified
CVSS 3.1
- Type
- Primary
- Base score
- 6.5
- Impact score
- 4
- Exploitability score
- 2
- Vector string
- CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
- Severity
- MEDIUM
- Hype score
- Not currently trending
Can vulnerable drivers still kill your EDR in 2026? Spoiler: yes. š§µ New Weekly Purple Team drops today ā BYOVD using CVE-2023-52271 (wsftprm.sys), a signed driver STILL not on Microsoft's blocklist. š“ Attack: malicious IOCTL ā ZwTerminateProcess at kernel level ā ED
@BriPwn
19 Feb 2026
3765 Impressions
8 Retweets
44 Likes
20 Bookmarks
1 Reply
0 Quotes
BYOVD: Silencing AV/EDR with CVE-2023-52271 by me at @0x00secOfficial https://t.co/W3Ewvteiws
@vict0ni
16 Feb 2026
142 Impressions
0 Retweets
3 Likes
2 Bookmarks
0 Replies
0 Quotes
2025-11-09 ć®äŗŗę°čØäŗćÆć³ćć©ć§ććć(čŖåćć¤ć¼ć) #Hacker_Trends āāā The wsftprm.sys kernel driver 2.0.0.0 in Topaz Antifraud... Ā· CVE-2023-52271 Ā· GitHub Advisory Database Ā· GitHub https://t.co/c51sYg23Me https://t.co/VmgHwVdLEW
@motikan2010
10 Nov 2025
132 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Observed threat actor abusing a vulnerable driver (wsftprm.sys, Topaz OFD ā Brazilian antifraud vendor, #CVE-2023-52271) for defense evasion. Attack chain: cartel.exe ā vulnerable driver ā Lazarus.exe (final payload, extension ".cry"). First seen in Colombia. 1/3 https://
@johnk3r
29 Sept 2025
7324 Impressions
24 Retweets
82 Likes
29 Bookmarks
2 Replies
1 Quote
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:topazevolution:antifraud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1B242D1E-47B6-4F59-89A8-6D6706213FC0",
"versionEndIncluding": "2.0.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]