AI description
CVE-2025-7771 is a vulnerability found in ThrottleStop.sys, a legitimate driver. The driver exposes IOCTL interfaces that allow reading and writing to physical memory. This is made possible via the MmMapIoSpace function. Attackers are exploiting this vulnerability by using a "Bring Your Own Vulnerable Driver" (BYOVD) technique to disable antivirus processes. By exploiting the exposed I/O control codes, attackers can access kernel-level functions directly, enabling them to read or write memory addresses. This allows them to bypass security defenses and install ransomware.
- Description
- ThrottleStop.sys, a legitimate driver, exposes two IOCTL interfaces that allow arbitrary read and write access to physical memory via the MmMapIoSpace function. This insecure implementation can be exploited by a malicious user-mode application to patch the running Windows kernel and invoke arbitrary kernel functions with ring-0 privileges. The vulnerability enables local attackers to execute arbitrary code in kernel context, resulting in privilege escalation and potential follow-on attacks, such as disabling security software or bypassing kernel-level protections. ThrottleStop.sys version 3.0.0.0 and possibly others are affected. Apply updates per vendor instructions.
- Source
- vulnerability@kaspersky.com
- NVD status
- Awaiting Analysis
CVSS 4.0
- Type
- Secondary
- Base score
- 8.7
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- HIGH
- vulnerability@kaspersky.com
- CWE-782
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
20
How a legitimate driver is being used to take down AV processes 1. Code Execution / Escalation of Privileges in ThrottleStop.sys CVE-2025-7771 2. AV killer https://t.co/UHOnGNuIt4 https://t.co/EmWqPpIISn
@blackorbird
8 Aug 2025
9469 Impressions
38 Retweets
136 Likes
104 Bookmarks
0 Replies
0 Quotes
CVE-2025-7771 and the driver of destruction: how a legitimate driver is being used to take down AV processes https://t.co/hgsnt4KH35
@assolini
6 Aug 2025
278 Impressions
1 Retweet
1 Like
1 Bookmark
1 Reply
0 Quotes
Driver of destruction: How a legitimate driver is being used to take down AV processes #AVKiller CVE-2025-7771 https://t.co/xW9BVZADcg
@EChavarro
6 Aug 2025
2 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
El driver de la destrucción: cómo un controlador legítimo se usa para desactivar los procesos antivirus #AVKiller CVE-2025-7771 https://t.co/RKWeiqJmUs
@EChavarro
6 Aug 2025
3 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-7771 ThrottleStop.sys Kernel Privilege Escalation via Arbitrary Physical Memory Access https://t.co/e0f4mL3thI
@VulmonFeeds
6 Aug 2025
99 Impressions
1 Retweet
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-7771 ThrottleStop.sys, a legitimate driver, exposes two IOCTL interfaces that allow arbitrary read and write access to physical memory via the MmMapIoSpace function. This in… https://t.co/UrXRkPBFsp
@CVEnew
6 Aug 2025
526 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes