CVE-2025-52915
K7RKScan.sys -- missing IOCTL caller validation allows process termination, BYOVD evolution study
Summary
| Field | Value |
|---|---|
| Driver | K7RKScan.sys (K7 Security Anti-Malware) |
| Vendor | K7 Computing |
| Vulnerability Class | Missing Authorization / Process Termination |
| Exploited ITW | No (public PoC) |
| Status | Vulnerable versions still loadable |
| Related | CVE-2025-1055 (earlier version, zero validation) |
Root Cause
This vulnerability tells a story about the limits of incremental security fixes. BlackSnufkin's research traces the evolution of a single flaw across two versions of the K7 Security anti-malware driver, showing how a "fix" that seemed adequate still left the door open for BYOVD abuse.
The original vulnerability, CVE-2025-1055, was discovered in K7RKScan.sys version 15.1.0.6. That version had no caller validation at all. Any process running at any privilege level could send IOCTL 0x222018 to the driver with a target PID, and the driver would dutifully call ZwTerminateProcess on that PID. A standard user could kill SYSTEM processes, admin services, or security products without any elevation.
K7 Computing patched the issue in version 23.0.0.10 by adding admin checks and process filtering. The updated driver verifies that the caller has administrative privileges and applies some filtering to prevent termination of certain protected processes. This is where CVE-2025-52915 picks up.
The problem is that these checks, while blocking unprivileged abuse, do not prevent the more dangerous scenario: a post-compromise attacker who already has admin rights using the driver to terminate PPL-protected processes. Protected Process Light (PPL) is Windows' mechanism for shielding security products from tampering, even by administrators. A user-mode TerminateProcess call fails against PPL processes regardless of the caller's privilege level. But ZwTerminateProcess called from kernel context bypasses PPL entirely. The "fixed" driver still calls ZwTerminateProcess on behalf of admin callers, effectively providing a kernel-mode process termination primitive that pierces PPL protection.
Exploitation
Direct (CVE-2025-1055)
Any user sends IOCTL 0x222018 with a target PID. The driver calls ZwTerminateProcess without checking the caller's privilege level. No admin rights needed, no BYOVD setup required.
BYOVD (CVE-2025-52915)
In a post-compromise scenario, the attacker already has admin access (common after initial exploitation or lateral movement). They drop the signed K7RKScan.sys driver, load it as a service, and send IOCTL 0x222018 with the PID of the target EDR or AV process. The driver's admin check passes, and it calls ZwTerminateProcess from kernel context, terminating the PPL-protected security product. With the EDR killed, the attacker proceeds with their primary objective: ransomware deployment, data exfiltration, or persistence.
Exploitation Primitive
Load K7RKScan.sys -> IOCTL 0x222018 with target PID
-> ZwTerminateProcess from kernel context
-> terminate EDR/AV including PPL-protected processes
Broader Significance
This case is a valuable teaching example because it shows that "adding admin checks" is not a complete fix for BYOVD-class vulnerabilities. The threat model for BYOVD assumes the attacker already has admin rights. The real question is whether the driver exposes kernel-mode capabilities that an admin-level attacker could not achieve through user-mode APIs alone. In this case, the answer is yes: kernel-mode ZwTerminateProcess bypasses PPL, which is specifically designed to resist admin-level tampering. The proper fix would be to either remove the process termination IOCTL entirely or to implement PPL-aware restrictions in the kernel-mode code path.