AI description
CVE-2025-68947 is a driver vulnerability found in NSecsoft's NSecKrnl Windows driver. This flaw allows a local, authenticated attacker to terminate processes belonging to other users, including those running as SYSTEM or designated as Protected Processes. This is achieved by sending specially crafted Input/Output Control (IOCTL) requests to the driver. The vulnerability is categorized under CWE-862 (Missing Authorization), indicating that the NSecKrnl driver fails to properly validate the authorization of requests to terminate processes. This issue presents a "Bring Your Own Vulnerable Driver" (BYOVD) attack surface, which can be leveraged by threat actors to disable endpoint security solutions and other critical system processes. For instance, the Black Basta ransomware has been observed utilizing this vulnerability.
- Description
- NSecsoft 'NSecKrnl' is a Windows driver that allows a local, authenticated attacker to terminate processes owned by other users, including SYSTEM and Protected Processes by issuing crafted IOCTL requests to the driver.
- Source
- 9119a7d8-5eab-497f-8521-727c672e3725
- NVD status
- Awaiting Analysis
CVSS 4.0
- Type
- Secondary
- Base score
- 5.7
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- MEDIUM
CVSS 3.1
- Type
- Secondary
- Base score
- 4.7
- Impact score
- 3.6
- Exploitability score
- 1
- Vector string
- CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
- Severity
- MEDIUM
- 9119a7d8-5eab-497f-8521-727c672e3725
- CWE-862
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
8
Black Basta ransomware uses a vulnerable signed kernel driver (CVE-2025-68947) embedded in its payload to kill security processes and evade defenses, appending “.locked” to encrypted files. Includes GotoHTTP RAT for persistence. #BlackBasta #RansomwareEv… https://t.co/eHK8d
@TweetThreatNews
6 Feb 2026
114 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
The ransomware payload drops a vulnerable NsecSoft NSecKrnl driver and tries to create an NSecKrnl service. This driver is then exploited to kill processes. The NSecKrnl driver is a Windows kernel-mode driver with a known critical security vulnerability (CVE-2025-68947), which h
@blackorbird
6 Feb 2026
4111 Impressions
11 Retweets
55 Likes
21 Bookmarks
0 Replies
1 Quote
🚨 Black Basta embeds BYOVD inside ransomware payload to kill EDR at kernel level Symantec/Carbon Black report Black Basta bundling a vulnerable signed driver (NsecSoft NSecKrnl, CVE-2025-68947) directly inside the ransomware, dropping it as a service and abusing IOCTLs to
@ThreatSynop
5 Feb 2026
52 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-68947 NSecsoft 'NSecKrnl' is a Windows driver that allows a local, authenticated attacker to terminate processes owned by other users, including SYSTEM and Protected Proces… https://t.co/EFxEy25ieG
@CVEnew
15 Jan 2026
134 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Kernel Panic: How a Single IOCTL Bug (#CVE-2025-68947) Lets Hackers Kill Any Process on Your Machine https://t.co/8Y76sEj183 Educational Purposes!
@UndercodeUpdate
14 Jan 2026
12 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes