AI description
CVE-2025-68947 is a driver vulnerability found in NSecsoft's NSecKrnl Windows driver. This flaw allows a local, authenticated attacker to terminate processes belonging to other users, including those running as SYSTEM or designated as Protected Processes. This is achieved by sending specially crafted Input/Output Control (IOCTL) requests to the driver. The vulnerability is categorized under CWE-862 (Missing Authorization), indicating that the NSecKrnl driver fails to properly validate the authorization of requests to terminate processes. This issue presents a "Bring Your Own Vulnerable Driver" (BYOVD) attack surface, which can be leveraged by threat actors to disable endpoint security solutions and other critical system processes. For instance, the Black Basta ransomware has been observed utilizing this vulnerability.
- Description
- NSecsoft 'NSecKrnl' is a Windows driver that allows a local, authenticated attacker to terminate processes owned by other users, including SYSTEM and Protected Processes by issuing crafted IOCTL requests to the driver.
- Source
- 9119a7d8-5eab-497f-8521-727c672e3725
- NVD status
- Deferred
CVSS 4.0
- Type
- Secondary
- Base score
- 5.7
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- MEDIUM
CVSS 3.1
- Type
- Secondary
- Base score
- 4.7
- Impact score
- 3.6
- Exploitability score
- 1
- Vector string
- CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
- Severity
- MEDIUM
- 9119a7d8-5eab-497f-8521-727c672e3725
- CWE-862
- Hype score
- Not currently trending
BYOVD Example: CVE-2025-68947 Even CVSS Medium vulnerabilities can enable powerful attack chains. Risk assessments must consider operational impact and adversary capabilities, not just scores. https://t.co/ZLJ1CduWBA
@clibm079
5 Mar 2026
515 Impressions
3 Retweets
5 Likes
1 Bookmark
0 Replies
0 Quotes
A new ransomware group called Reynolds is leveraging BYOVD (Bring Your Own Vulnerable Driver) to disable EDR/AV before encryption. They’re abusing the NSecKrnl driver (CVE-2025-68947) to reduce visibility at the kernel level. If you’re not monitoring vulnerable drivers and h
@Brandefense
27 Feb 2026
95 Impressions
1 Retweet
3 Likes
1 Bookmark
0 Replies
0 Quotes
Reynolds Ransomware doesn’t just encrypt files. It disables defenses at the kernel level first. Our Threat Research team analyzed its BYOVD abuse of NSecKrnl.sys (CVE-2025-68947), AV/EDR termination via IOCTL, multi-threaded encryption & qTox comms. https://t.co/dChzUlummV
@Gurucul
25 Feb 2026
36 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Reynolds Ransomware: BYOVD Abuse of NSecKrnl.sys (CVE-2025-68947) for Kernel-Level Defense Evasion https://t.co/4TfRX6nN7E Introduction: Reynolds Ransomware employs a Bring Your Own Vulnerable Driver (BYOVD) strategy to disable endpoint defenses before initiating encryption.
@f1tym1
24 Feb 2026
44 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Happy to share my writeup for the challenge 'Kernel Shield' on https://t.co/VjZa958DNA, created by @MalGamy12. In this challenge we are tasked to analyze a benign kernel driver file, which can be exploited to kill specific processes (CVE-2025-68947). https://t.co/xNaoz9A1kO
@0x747863
17 Feb 2026
2612 Impressions
9 Retweets
31 Likes
26 Bookmarks
0 Replies
0 Quotes
🚨 New Challenge: Kernel Shield Reverse engineer the NSecKrnl driver (CVE-2025-68947). weaponized in the #Reynolds ransomware BYOVD campaign to kill EDR/AV processes. challenge: https://t.co/7ANwUH5j5J discord: https://t.co/oBPe6oItWX https://t.co/P8ov6OFYTZ
@MalOps_io
14 Feb 2026
1 Impression
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 New Challenge: Kernel Shield Reverse engineer the NSecKrnl driver (CVE-2025-68947). weaponized in the #Reynolds ransomware BYOVD campaign to kill EDR/AV processes. 🔗 https://t.co/2Cob78hObV 🔗 https://t.co/hZlNYL9AFK https://t.co/9wxwdIRwJw
@MalGamy12
14 Feb 2026
1532 Impressions
3 Retweets
34 Likes
10 Bookmarks
2 Replies
0 Quotes
🚨 Reynolds Ransomware Goes BYOVD: Driver Exploit to Kill EDR Before Encryption New “Reynolds” ransomware is using a Bring Your Own Vulnerable Driver (BYOVD) approach—abusing the NsecSoft NSecKrnl driver tied to CVE-2025-68947—to escalate privileges and terminate securi
@ThreatSynop
12 Feb 2026
57 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Reynolds Ransomware Bundles BYOVD Driver to Kill EDR Before Encrypting Reynolds is a newly identified ransomware that embeds a vulnerable signed NsecSoft kernel driver (NSecKrnl) and exploits CVE-2025-68947 to terminate major security/EDR processes (Defender, CrowdStrike,
@ThreatSynop
11 Feb 2026
53 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Reynolds Ransomware Packs BYOVD Driver to Kill EDR Before Encryption A new ransomware strain dubbed Reynolds bundles a vulnerable signed driver (NsecSoft NSecKrnl, CVE-2025-68947) inside the payload to terminate EDR/AV processes (e.g., CrowdStrike, Cortex XDR, Sophos,
@ThreatSynop
10 Feb 2026
52 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Evolución táctica: Reynolds usa CVE-2025-68947 y BYOVD para anular Sophos, ESET, Defender y CrowdStrike desde el kernel. El payload deshabilita defensas antes del cifrado. IOCs (SHA-256) detallados en las imágenes. #Infosec #Reynolds #BYOVD #Cybersecurity #Fenikso https://t.
@fenikso_io
10 Feb 2026
15 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
⚠️🛠️ Reynolds ransomware embeds its own BYOVD evasion, bundling a vulnerable driver to disable EDR before encryption. It drops the NSecKrnl driver (CVE-2025-68947) to kill security tools, reducing detection and affiliate effort. 🔗 Read full attack chain and defense
@TheHackersNews
10 Feb 2026
53300 Impressions
22 Retweets
81 Likes
25 Bookmarks
3 Replies
1 Quote
🚨 Black Basta Levels Up: BYOVD Driver Embedded Directly Inside Ransomware Payload A new Black Basta campaign embeds a “Bring Your Own Vulnerable Driver” (BYOVD) component directly into the ransomware, dropping the signed NsecSoft NSecKrnl driver and abusing CVE-2025-68947
@ThreatSynop
9 Feb 2026
89 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Black Basta ransomware uses a vulnerable signed kernel driver (CVE-2025-68947) embedded in its payload to kill security processes and evade defenses, appending “.locked” to encrypted files. Includes GotoHTTP RAT for persistence. #BlackBasta #RansomwareEv… https://t.co/eHK8d
@TweetThreatNews
6 Feb 2026
114 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
The ransomware payload drops a vulnerable NsecSoft NSecKrnl driver and tries to create an NSecKrnl service. This driver is then exploited to kill processes. The NSecKrnl driver is a Windows kernel-mode driver with a known critical security vulnerability (CVE-2025-68947), which h
@blackorbird
6 Feb 2026
4111 Impressions
11 Retweets
55 Likes
21 Bookmarks
0 Replies
1 Quote
🚨 Black Basta embeds BYOVD inside ransomware payload to kill EDR at kernel level Symantec/Carbon Black report Black Basta bundling a vulnerable signed driver (NsecSoft NSecKrnl, CVE-2025-68947) directly inside the ransomware, dropping it as a service and abusing IOCTLs to
@ThreatSynop
5 Feb 2026
52 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-68947 NSecsoft 'NSecKrnl' is a Windows driver that allows a local, authenticated attacker to terminate processes owned by other users, including SYSTEM and Protected Proces… https://t.co/EFxEy25ieG
@CVEnew
15 Jan 2026
134 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Kernel Panic: How a Single IOCTL Bug (#CVE-2025-68947) Lets Hackers Kill Any Process on Your Machine https://t.co/8Y76sEj183 Educational Purposes!
@UndercodeUpdate
14 Jan 2026
12 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes