CVE-2025-61156
TfSysMon.sys — insecure access control enables BYOVD process termination
Exploited in the Wild
Actively abused by eCrime groups as a BYOVD vector for EDR/AV termination.
Summary
| Field | Value |
|---|---|
| Driver | TfSysMon.sys (ThreatFire System Monitor) |
| Vulnerability Class | Insecure Access Control |
| Exploited ITW | Yes (BYOVD) |
| Vendor | PC Tools / Symantec (ThreatFire) |
Root Cause
The ThreatFire system monitor driver exposes IOCTL handlers with no access control checks. Any user-mode process can open a handle to the device and send IOCTLs that terminate arbitrary processes, including security products. The driver is legitimately signed and loads on default Windows configurations.
Exploitation
Attackers drop the signed TfSysMon.sys driver, load it via the Service Control Manager, and send IOCTLs to terminate EDR/AV processes before deploying ransomware or other payloads.
Exploitation Primitive
Load signed TfSysMon.sys → open device handle
→ send process termination IOCTL → kill EDR/AV processes