CVE-2025-45737
NeacController -- arbitrary kernel read/write via IOCTL
Summary
| Field | Value |
|---|---|
| Driver | NeacController.sys |
| Vendor | NEAC |
| Vulnerability Class | Arbitrary R/W / IOCTL Access Control |
| Abused Version | 1.0.0.0 |
| Status | Still loadable -- not widely blocklisted |
| Exploited ITW | No |
BYOVD Context
- Driver signing: Authenticode-signed with valid certificate
- Vulnerable Driver Blocklist: Not included in Microsoft's recommended driver block rules
- HVCI behavior: May load on HVCI-enabled systems
- KDU integration: Not integrated
- LOLDrivers: Not yet listed
Affected IOCTLs
- Arbitrary kernel virtual memory read
- Arbitrary kernel virtual memory write
Root Cause
NeacController.sys is one of the most straightforward BYOVD candidates documented in recent research. The driver exposes IOCTLs that perform direct kernel virtual memory reads and writes with no restrictions whatsoever. There is no validation of the caller's privilege level, no filtering of target address ranges, and the device object ships with permissive ACLs that allow any user-mode process to open a handle.
The driver was originally built for hardware diagnostic purposes, but from an attacker's perspective it is a ready-made kernel read/write primitive wrapped in a signed binary. smallzhong documented the vulnerability and published a working proof-of-concept on GitHub showing the full exploitation path.
What makes this case notable is not its technical sophistication but its simplicity. There is no bypass needed, no race condition to win, no heap layout to control. The driver hands you arbitrary kernel memory access the moment you open the device. The only barrier is getting the signed binary onto disk and loading it as a service, which is trivial for any attacker with local admin access.
Exploitation
The exploitation path is as direct as the vulnerability itself. An attacker with local administrator access drops the signed NeacController.sys binary to disk, registers it as a service, and starts it. Once the driver loads, the attacker opens a handle to the device object and begins issuing read/write IOCTLs.
From there, the standard BYOVD playbook applies. The attacker reads the EPROCESS structure of the current process, walks the ActiveProcessLinks list to find the SYSTEM process (PID 4), reads its token pointer, and overwrites the current process's token with the SYSTEM token. The entire chain from driver load to SYSTEM shell can execute in under a second.
Exploitation Primitive
Load signed NeacController.sys -> open device handle
-> arbitrary kernel R/W via IOCTL
-> EPROCESS token swap -> SYSTEM
Detection
YARA Rule
rule CVE_2025_45737_NeacController {
meta:
description = "Detects NeacController.sys vulnerable driver"
cve = "CVE-2025-45737"
author = "KernelSight"
severity = "high"
strings:
$mz = { 4D 5A }
$driver_name = "NeacController" wide ascii nocase
$neac = "NEAC" wide ascii
condition:
$mz at 0 and ($driver_name or $neac)
}
ETW Indicators
| Provider | Event / Signal | Relevance |
|---|---|---|
| Microsoft-Windows-Kernel-File | Driver load event | Detects loading of NeacController.sys |
| Sysmon | Event ID 6 -- Driver loaded | Hash and signature capture |
| Microsoft-Windows-Security-Auditing | Event 4697 -- Service installed | Driver service creation |
| Microsoft-Windows-Kernel-Process | Process token modification | Post-exploitation token swap |
Behavioral Indicators
- Loading of
NeacController.sysfrom any location outside the expected vendor install path - Service creation for an unknown driver binary followed immediately by device handle opens
- Kernel memory R/W IOCTL patterns from non-diagnostic processes
- Privilege escalation following driver interaction
Broader Significance
NeacController represents the baseline case for BYOVD: a signed driver with zero access controls on dangerous primitives. It is not on Microsoft's recommended block list, not in LOLDrivers, and not integrated into KDU. That means it can still be loaded on systems where HVCI and driver blocklisting are not enforced. For defenders, this is a reminder that the BYOVD threat extends well beyond the handful of well-known drivers. The long tail of obscure, legitimately signed drivers with overpermissive IOCTLs remains largely unmapped.