CVE-2025-45737
NeacController — arbitrary kernel read/write via IOCTL
Summary
| Field | Value |
|---|---|
| Driver | NeacController.sys |
| Vendor | NEAC |
| Vulnerability Class | Arbitrary R/W / IOCTL Access Control |
| Abused Version | 1.0.0.0 |
| Status | Still loadable — not widely blocklisted |
| Exploited ITW | No |
BYOVD Context
- Driver signing: Authenticode-signed with valid certificate
- Vulnerable Driver Blocklist: Not included in Microsoft's recommended driver block rules
- HVCI behavior: May load on HVCI-enabled systems
- KDU integration: Not integrated
- LOLDrivers: Not yet listed
Affected IOCTLs
- Arbitrary kernel virtual memory read
- Arbitrary kernel virtual memory write
Root Cause
NeacController.sys is a kernel driver that exposes IOCTLs for direct kernel memory access. The driver accepts a user-supplied kernel address and performs read or write operations without validation of the caller's privilege level or the target address range. The device object has permissive ACLs.
smallzhong documented the vulnerability and provided a PoC on GitHub.
Exploitation
Standard arbitrary R/W BYOVD exploitation:
- Load the signed
NeacController.sysdriver - Open a device handle
- Read/write kernel memory via IOCTLs
- Perform EPROCESS token swap for SYSTEM escalation
Detection
YARA Rule
rule CVE_2025_45737_NeacController {
meta:
description = "Detects NeacController.sys vulnerable driver"
cve = "CVE-2025-45737"
author = "KernelSight"
severity = "high"
strings:
$mz = { 4D 5A }
$driver_name = "NeacController" wide ascii nocase
$neac = "NEAC" wide ascii
condition:
$mz at 0 and ($driver_name or $neac)
}
ETW Indicators
| Provider | Event / Signal | Relevance |
|---|---|---|
| Microsoft-Windows-Kernel-File | Driver load event | Detects loading of NeacController.sys |
| Sysmon | Event ID 6 — Driver loaded | Hash and signature capture |
| Microsoft-Windows-Security-Auditing | Event 4697 — Service installed | Driver service creation |
| Microsoft-Windows-Kernel-Process | Process token modification | Post-exploitation token swap |
Behavioral Indicators
- Loading of
NeacController.sysfrom any location - Kernel memory R/W IOCTL patterns
- Privilege escalation following driver interaction