CVE-2025-61156
TfSysMon.sys -- insecure access control enables BYOVD process termination
Exploited in the Wild
Actively abused by eCrime groups as a BYOVD vector for EDR/AV termination.
Summary
| Field | Value |
|---|---|
| Driver | TfSysMon.sys (ThreatFire System Monitor) |
| Vulnerability Class | Insecure Access Control |
| Exploited ITW | Yes (BYOVD) |
| Vendor | PC Tools / Symantec (ThreatFire) |
Root Cause
ThreatFire was a behavioral-based security product originally developed by PC Tools and later acquired by Symantec. The product has been discontinued for years, but its kernel driver, TfSysMon.sys, remains signed with a valid Authenticode certificate. This is the core of the problem: a legitimate, signed driver from a defunct product that still loads on modern Windows systems.
The driver exposes IOCTL handlers that can terminate arbitrary processes. There are no access control checks on the device object or the IOCTL handlers. Any user-mode process that can open a handle to the device can send the termination IOCTL with a target PID, and the driver will kill that process from kernel context. This includes processes protected by PPL (Protected Process Light), which are immune to user-mode TerminateProcess calls.
The absence of any access control is particularly egregious because the driver was originally designed as a security product. Its process termination capability was intended to kill malware, but without access restrictions, the same capability is available to anyone, including the malware it was meant to stop.
Exploitation
eCrime groups have adopted TfSysMon.sys as a BYOVD (Bring Your Own Vulnerable Driver) weapon. The attack follows the standard BYOVD playbook.
The attacker arrives on a system with local admin access, typically through initial compromise (phishing, exposed RDP, or lateral movement). They drop the signed TfSysMon.sys binary to disk and register it as a kernel driver service using the Service Control Manager. Once loaded, they open a handle to the device and send the process termination IOCTL with the PID of the target EDR or antivirus process.
The driver terminates the security product from kernel context, bypassing all user-mode protections including PPL. With the EDR killed, the attacker proceeds with their primary objective, which in observed campaigns has typically been ransomware deployment.
A public PoC by D7EAD demonstrates the full chain from driver loading to process termination.
Exploitation Primitive
Drop signed TfSysMon.sys -> register and load via SCM
-> open device handle (no ACL check)
-> send process termination IOCTL with target PID
-> kernel-mode ZwTerminateProcess -> EDR/AV killed
Broader Significance
TfSysMon.sys is a cautionary tale about the lifecycle of signed kernel drivers. ThreatFire was discontinued years ago, but its driver certificate was never revoked and the binary was never added to Microsoft's Vulnerable Driver Blocklist. The result is a free pass to kernel-mode process termination on any system where the blocklist is not enforced. This highlights a systemic gap: when security products are discontinued, their signed kernel drivers become permanent BYOVD assets unless the certificates are actively revoked. For defenders, the mitigation is HVCI with driver blocklisting. For the broader ecosystem, the fix requires vendors to revoke certificates for drivers in discontinued products.