CVE-2025-68947
NSecKrnl.sys -- missing IOCTL authorization turns security driver into an EDR killer, embedded directly in Reynolds ransomware
Exploited in the Wild
Reynolds ransomware embeds this driver directly in the ransomware payload to disable EDR before encryption.
Summary
| Field | Value |
|---|---|
| Driver | NSecKrnl.sys |
| Vendor | NsecSoft |
| Vulnerability Class | Missing Authorization / Process Termination |
| CVSS | 5.7 |
| Exploited ITW | Yes (Reynolds ransomware) |
| Status | Under active abuse |
Context
Most BYOVD attacks follow a two-stage pattern: the attacker drops a vulnerable driver as a separate file, then loads and abuses it. Reynolds ransomware took a different approach. The threat actor embedded NSecKrnl.sys directly inside the ransomware binary itself, eliminating the separate delivery step entirely. When the ransomware executes, it extracts the driver, loads it, kills every security product on the machine, and begins encryption, all in a single seamless flow.
This matters because it reduces the detection window. Traditional BYOVD tooling drops the driver to disk as a distinct artifact, creating a file-write event that EDR can catch. Reynolds collapses the entire kill chain into a single executable, making the driver extraction and loading appear as part of the ransomware's normal initialization.
Root Cause
The vulnerability is straightforward: NSecKrnl.sys exposes an IOCTL handler that terminates processes by PID with no authorization check on the caller. The driver does not verify whether the requesting process has appropriate privileges, whether it belongs to a legitimate NsecSoft product, or whether the target process should be terminable. Any local authenticated user can open the device and kill any process on the system, including SYSTEM and PPL-protected processes like EDR agents.
The driver calls ZwTerminateProcess at the kernel level, which bypasses all user-mode protections, PPL flags, and object callbacks that EDR products rely on to prevent their own termination.
Exploitation
Reynolds ransomware (identified by researchers as a Black Basta successor operation) uses the following chain after gaining initial access:
The ransomware binary contains NSecKrnl.sys as an embedded resource. On execution, it extracts the driver to a temp directory and registers it as a kernel service. It then enumerates running processes, checking against a hardcoded list of security product process names covering Sophos, CrowdStrike, Defender, ESET, Avast, and Symantec. For each match, it sends the process termination IOCTL with the target PID. The driver executes ZwTerminateProcess from kernel mode, and the security process dies regardless of its protection level. With all security software eliminated, the ransomware begins encrypting files.
Exploitation Primitive
Load NSecKrnl.sys --> IOCTL with target PID
--> ZwTerminateProcess at kernel level (no authorization check)
--> kill EDR/AV processes --> encrypt files
Detection
Behavioral Indicators
NSecKrnl.sysloaded as a kernel service from a temp directory- Rapid termination of multiple security product processes
- Process termination of PPL-protected processes
- Single executable that writes a .sys file and immediately creates a service for it
Broader Significance
CVE-2025-68947 represents the evolution of the BYOVD technique from a separate "tool" to an integrated component of the malware itself. As EDR products improve their detection of standalone BYOVD droppers, embedding the driver directly in the payload becomes the natural adaptation. The low CVSS score (5.7) belies the operational impact: in practice, this bug enables ransomware to completely disable all endpoint protection before encryption begins.