AI description
CVE-2025-7771 is a vulnerability found in ThrottleStop.sys, a legitimate driver. The driver exposes IOCTL interfaces that allow reading and writing to physical memory. This is made possible via the MmMapIoSpace function. Attackers are exploiting this vulnerability by using a "Bring Your Own Vulnerable Driver" (BYOVD) technique to disable antivirus processes. By exploiting the exposed I/O control codes, attackers can access kernel-level functions directly, enabling them to read or write memory addresses. This allows them to bypass security defenses and install ransomware.
- Description
- ThrottleStop.sys, a legitimate driver, exposes two IOCTL interfaces that allow arbitrary read and write access to physical memory via the MmMapIoSpace function. This insecure implementation can be exploited by a malicious user-mode application to patch the running Windows kernel and invoke arbitrary kernel functions with ring-0 privileges. The vulnerability enables local attackers to execute arbitrary code in kernel context, resulting in privilege escalation and potential follow-on attacks, such as disabling security software or bypassing kernel-level protections. ThrottleStop.sys version 3.0.0.0 and possibly others are affected. Apply updates per vendor instructions.
- Source
- vulnerability@kaspersky.com
- NVD status
- Awaiting Analysis
CVSS 4.0
- Type
- Secondary
- Base score
- 8.7
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- HIGH
- vulnerability@kaspersky.com
- CWE-782
- Hype score
- Not currently trending
🔥 ¡Así vivimos el Día 2 de #Ekoparty 2025!: ¡una jornada llena de aprendizaje, investigación y tecnología! Nuestro equipo tuvo una destacada participación en el Main Track con Ashley Muñoz y Anderson Leite, quienes presentaron CVE-2025-7771: Antivirus Evasion Through L
@KasperskyLatino
25 Oct 2025
190 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
Charlas Main Track #EKO2025 🔥 🗣️ “CVE-2025-7771: Antivirus Evasion Through Legitimate Driver Abuse” dictada por @3NTR0_py. 💡 En un incidente reciente identificamos cómo un atacante ha estado aprovechando una vulnerabilidad de un Driver legítimo para enumerar
@ekoparty
3 Oct 2025
435 Impressions
2 Retweets
6 Likes
0 Bookmarks
0 Replies
0 Quotes
How a legitimate driver is being used to take down AV processes 1. Code Execution / Escalation of Privileges in ThrottleStop.sys CVE-2025-7771 2. AV killer https://t.co/UHOnGNuIt4 https://t.co/EmWqPpIISn
@blackorbird
8 Aug 2025
9469 Impressions
38 Retweets
136 Likes
104 Bookmarks
0 Replies
0 Quotes
CVE-2025-7771 and the driver of destruction: how a legitimate driver is being used to take down AV processes https://t.co/hgsnt4KH35
@assolini
6 Aug 2025
278 Impressions
1 Retweet
1 Like
1 Bookmark
1 Reply
0 Quotes
Driver of destruction: How a legitimate driver is being used to take down AV processes #AVKiller CVE-2025-7771 https://t.co/xW9BVZADcg
@EChavarro
6 Aug 2025
2 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
El driver de la destrucción: cómo un controlador legítimo se usa para desactivar los procesos antivirus #AVKiller CVE-2025-7771 https://t.co/RKWeiqJmUs
@EChavarro
6 Aug 2025
3 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-7771 ThrottleStop.sys Kernel Privilege Escalation via Arbitrary Physical Memory Access https://t.co/e0f4mL3thI
@VulmonFeeds
6 Aug 2025
99 Impressions
1 Retweet
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-7771 ThrottleStop.sys, a legitimate driver, exposes two IOCTL interfaces that allow arbitrary read and write access to physical memory via the MmMapIoSpace function. This in… https://t.co/UrXRkPBFsp
@CVEnew
6 Aug 2025
526 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes