CVE-2025-11156
epdlpdrv.sys -- Netskope Endpoint DLP driver null pointer dereference causes denial of service
Summary
| Field | Value |
|---|---|
| Driver | epdlpdrv.sys (Netskope Endpoint DLP) |
| Vendor | Netskope |
| Vulnerability Class | Null Pointer Dereference |
| CVSS | 5.9 (Medium) |
| Exploited ITW | No |
| Patch Date | November 28, 2025 |
Root Cause
The Netskope Endpoint DLP minifilter driver was built with a critical assumption: it would always be loaded through the full Netskope client stack, which initializes a runtime context structure before the driver starts. The driver never validates whether that context actually exists before dereferencing it.
This assumption holds under normal deployment. But a local administrator can bypass the client entirely by registering epdlpdrv.sys as a standalone kernel service using sc create or equivalent APIs. When the driver starts without the Netskope client, the runtime context pointer is null. The driver reads from address zero, and the kernel faults.
The result is an immediate blue screen. No code execution is possible because the crash happens before the driver reaches any useful state. However, the driver is a signed third-party minifilter, which gives it a secondary use case: a BYOVD weapon for crashing machines or killing endpoint protection on demand.
Exploitation
An attacker with local administrator access runs sc create to register epdlpdrv.sys as a plain kernel service, stripping away the Netskope client context that the driver depends on. On service start, the driver loads, attempts to dereference the null context pointer, and triggers a bugcheck.
No code execution occurs. This is strictly a denial-of-service primitive. But in the BYOVD context, the ability to reliably blue-screen a machine with a signed driver has operational value: disrupting IR during an active intrusion, forcing a reboot into a less-protected state, or simply causing service outages.
Exploitation Primitive
Admin registers epdlpdrv.sys as standalone kernel service
--> driver loads without Netskope client context
--> null pointer dereference --> BSOD
Broader Significance
CVE-2025-11156 illustrates a common pattern in endpoint security drivers: implicit trust in the deployment environment. When a driver assumes it will only be loaded through a specific software stack, any alternative loading path becomes an attack surface. For minifilter drivers that carry third-party signatures, the bar for loading them via BYOVD is low. Even a DoS-only bug gains significance when it can be weaponized to disable the very security product the driver belongs to.