CVE-2025-68947

Published Jan 13, 2026

Last updated 2 months ago

CVSS medium 5.7

Overview

Description
NSecsoft 'NSecKrnl' is a Windows driver that allows a local, authenticated attacker to terminate processes owned by other users, including SYSTEM and Protected Processes by issuing crafted IOCTL requests to the driver.
Source
9119a7d8-5eab-497f-8521-727c672e3725
NVD status
Awaiting Analysis

Risk scores

CVSS 4.0

Type
Secondary
Base score
5.7
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
MEDIUM

CVSS 3.1

Type
Secondary
Base score
4.7
Impact score
3.6
Exploitability score
1
Vector string
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Severity
MEDIUM

Weaknesses

9119a7d8-5eab-497f-8521-727c672e3725
CWE-862

Social media

Hype score
Not currently trending

  1. BYOVD Example: CVE-2025-68947 Even CVSS Medium vulnerabilities can enable powerful attack chains. Risk assessments must consider operational impact and adversary capabilities, not just scores. https://t.co/ZLJ1CduWBA

    @clibm079

    5 Mar 2026

    515 Impressions

    3 Retweets

    5 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  2. A new ransomware group called Reynolds is leveraging BYOVD (Bring Your Own Vulnerable Driver) to disable EDR/AV before encryption. They’re abusing the NSecKrnl driver (CVE-2025-68947) to reduce visibility at the kernel level. If you’re not monitoring vulnerable drivers and h

    @Brandefense

    27 Feb 2026

    95 Impressions

    1 Retweet

    3 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  3. Reynolds Ransomware doesn’t just encrypt files. It disables defenses at the kernel level first. Our Threat Research team analyzed its BYOVD abuse of NSecKrnl.sys (CVE-2025-68947), AV/EDR termination via IOCTL, multi-threaded encryption & qTox comms. https://t.co/dChzUlummV

    @Gurucul

    25 Feb 2026

    36 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. Reynolds Ransomware: BYOVD Abuse of NSecKrnl.sys (CVE-2025-68947) for Kernel-Level Defense Evasion https://t.co/4TfRX6nN7E Introduction: Reynolds Ransomware employs a Bring Your Own Vulnerable Driver (BYOVD) strategy to disable endpoint defenses before initiating encryption.

    @f1tym1

    24 Feb 2026

    44 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. Happy to share my writeup for the challenge 'Kernel Shield' on https://t.co/VjZa958DNA, created by @MalGamy12. In this challenge we are tasked to analyze a benign kernel driver file, which can be exploited to kill specific processes (CVE-2025-68947). https://t.co/xNaoz9A1kO

    @0x747863

    17 Feb 2026

    2612 Impressions

    9 Retweets

    31 Likes

    26 Bookmarks

    0 Replies

    0 Quotes

  6. 🚨 New Challenge: Kernel Shield Reverse engineer the NSecKrnl driver (CVE-2025-68947). weaponized in the #Reynolds ransomware BYOVD campaign to kill EDR/AV processes. challenge: https://t.co/7ANwUH5j5J discord: https://t.co/oBPe6oItWX https://t.co/P8ov6OFYTZ

    @MalOps_io

    14 Feb 2026

    1 Impression

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. 🚨 New Challenge: Kernel Shield Reverse engineer the NSecKrnl driver (CVE-2025-68947). weaponized in the #Reynolds ransomware BYOVD campaign to kill EDR/AV processes. 🔗 https://t.co/2Cob78hObV 🔗 https://t.co/hZlNYL9AFK https://t.co/9wxwdIRwJw

    @MalGamy12

    14 Feb 2026

    1532 Impressions

    3 Retweets

    34 Likes

    10 Bookmarks

    2 Replies

    0 Quotes

  8. 🚨 Reynolds Ransomware Goes BYOVD: Driver Exploit to Kill EDR Before Encryption New “Reynolds” ransomware is using a Bring Your Own Vulnerable Driver (BYOVD) approach—abusing the NsecSoft NSecKrnl driver tied to CVE-2025-68947—to escalate privileges and terminate securi

    @ThreatSynop

    12 Feb 2026

    57 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. 🚨 Reynolds Ransomware Bundles BYOVD Driver to Kill EDR Before Encrypting Reynolds is a newly identified ransomware that embeds a vulnerable signed NsecSoft kernel driver (NSecKrnl) and exploits CVE-2025-68947 to terminate major security/EDR processes (Defender, CrowdStrike,

    @ThreatSynop

    11 Feb 2026

    53 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. 🚨 Reynolds Ransomware Packs BYOVD Driver to Kill EDR Before Encryption A new ransomware strain dubbed Reynolds bundles a vulnerable signed driver (NsecSoft NSecKrnl, CVE-2025-68947) inside the payload to terminate EDR/AV processes (e.g., CrowdStrike, Cortex XDR, Sophos,

    @ThreatSynop

    10 Feb 2026

    52 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. Evolución táctica: Reynolds usa CVE-2025-68947 y BYOVD para anular Sophos, ESET, Defender y CrowdStrike desde el kernel. El payload deshabilita defensas antes del cifrado. IOCs (SHA-256) detallados en las imágenes. #Infosec #Reynolds #BYOVD #Cybersecurity #Fenikso https://t.

    @fenikso_io

    10 Feb 2026

    15 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. ⚠️🛠️ Reynolds ransomware embeds its own BYOVD evasion, bundling a vulnerable driver to disable EDR before encryption. It drops the NSecKrnl driver (CVE-2025-68947) to kill security tools, reducing detection and affiliate effort. 🔗 Read full attack chain and defense

    @TheHackersNews

    10 Feb 2026

    53300 Impressions

    22 Retweets

    81 Likes

    25 Bookmarks

    3 Replies

    1 Quote

  13. 🚨 Black Basta Levels Up: BYOVD Driver Embedded Directly Inside Ransomware Payload A new Black Basta campaign embeds a “Bring Your Own Vulnerable Driver” (BYOVD) component directly into the ransomware, dropping the signed NsecSoft NSecKrnl driver and abusing CVE-2025-68947

    @ThreatSynop

    9 Feb 2026

    89 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  14. Black Basta ransomware uses a vulnerable signed kernel driver (CVE-2025-68947) embedded in its payload to kill security processes and evade defenses, appending “.locked” to encrypted files. Includes GotoHTTP RAT for persistence. #BlackBasta #RansomwareEv… https://t.co/eHK8d

    @TweetThreatNews

    6 Feb 2026

    114 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  15. The ransomware payload drops a vulnerable NsecSoft NSecKrnl driver and tries to create an NSecKrnl service. This driver is then exploited to kill processes. The NSecKrnl driver is a Windows kernel-mode driver with a known critical security vulnerability (CVE-2025-68947), which h

    @blackorbird

    6 Feb 2026

    4111 Impressions

    11 Retweets

    55 Likes

    21 Bookmarks

    0 Replies

    1 Quote

  16. 🚨 Black Basta embeds BYOVD inside ransomware payload to kill EDR at kernel level Symantec/Carbon Black report Black Basta bundling a vulnerable signed driver (NsecSoft NSecKrnl, CVE-2025-68947) directly inside the ransomware, dropping it as a service and abusing IOCTLs to

    @ThreatSynop

    5 Feb 2026

    52 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  17. CVE-2025-68947 NSecsoft 'NSecKrnl' is a Windows driver that allows a local, authenticated attacker to terminate processes owned by other users, including SYSTEM and Protected Proces… https://t.co/EFxEy25ieG

    @CVEnew

    15 Jan 2026

    134 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  18. 🚨 Kernel Panic: How a Single IOCTL Bug (#CVE-2025-68947) Lets Hackers Kill Any Process on Your Machine https://t.co/8Y76sEj183 Educational Purposes!

    @UndercodeUpdate

    14 Jan 2026

    12 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References

Sources include official advisories and independent security research.