CVE-2025-68947
NSecKrnl.sys — missing IOCTL authorization allows arbitrary process termination, abused by Reynolds ransomware
Exploited in the Wild
Reynolds ransomware embeds this driver directly in the ransomware payload to disable EDR before encryption.
Summary
| Field | Value |
|---|---|
| Driver | NSecKrnl.sys |
| Vendor | NsecSoft |
| Vulnerability Class | Missing Authorization / Process Termination |
| CVSS | 5.7 |
| Exploited ITW | Yes (Reynolds ransomware) |
| Status | Under active abuse |
Root Cause
The driver's IOCTL handler does not check caller permissions before executing process termination requests. Any local authenticated user can send crafted IOCTL requests to terminate arbitrary processes, including SYSTEM and PPL-protected processes like EDR agents.
Exploitation
Reynolds ransomware (a Black Basta successor) embeds NSecKrnl.sys directly within the ransomware binary. The attack chain:
- Drop the driver to a temp directory
- Load it as a kernel service
- Enumerate security agent processes (Sophos, CrowdStrike, Defender, ESET, Avast, Symantec)
- Terminate all security processes via IOCTL
- Begin file encryption
Reynolds is notable for embedding the vulnerable driver directly in the ransomware binary, eliminating the separate BYOVD delivery step that most ransomware groups use.
Exploitation Primitive
Load NSecKrnl.sys → IOCTL with target PID
→ ZwTerminateProcess at kernel level (no authorization check)
→ kill EDR/AV processes → encrypt files
Detection
Behavioral Indicators
NSecKrnl.sysloaded as a kernel service from a temp directory- Rapid termination of multiple security product processes
- Process termination of PPL-protected processes