CVE-2025-52915

K7RKScan.sys — missing IOCTL caller validation allows process termination, BYOVD evolution study

Summary

Field	Value
Driver	K7RKScan.sys (K7 Security Anti-Malware)
Vendor	K7 Computing
Vulnerability Class	Missing Authorization / Process Termination
Exploited ITW	No (public PoC)
Status	Vulnerable versions still loadable
Related	CVE-2025-1055 (earlier version, zero validation)

Root Cause

Two versions of the driver show different levels of the same flaw:

• CVE-2025-1055 (v15.1.0.6) -- no caller validation at all. Any low-privilege user can send IOCTL 0x222018 to terminate processes running as SYSTEM or admin.
• CVE-2025-52915 (v23.0.0.10) -- K7 added admin checks and process filtering, but an admin-level BYOVD attacker can still terminate PPL-protected processes that are normally immune to TerminateProcess.

BlackSnufkin's research traces the evolution from zero-validation to partial-validation and shows how both remain exploitable in a BYOVD context.

Exploitation

Direct (CVE-2025-1055)

Any user sends IOCTL 0x222018 with a target PID. The driver calls ZwTerminateProcess without checking the caller's privilege level.

BYOVD (CVE-2025-52915)

An admin-level attacker (typical in post-compromise scenarios) loads the signed driver and terminates PPL-protected EDR agents. User-mode TerminateProcess cannot do this even with admin rights.

Exploitation Primitive

Load K7RKScan.sys → IOCTL 0x222018 with target PID
  → ZwTerminateProcess (no/insufficient caller validation)
  → terminate EDR/AV including PPL processes

References

• BlackSnufkin — CVE-2025-52915: A BYOVD Evolution Story
• GitHub — BlackSnufkin/BYOVD
• GitHub PoC — diego-tella