CVE-2025-70795
STProcessMonitor.sys -- Safetica DLP driver exposes unprotected process termination primitive
Summary
| Field | Value |
|---|---|
| Driver | STProcessMonitor.sys (Safetica) |
| Vulnerability Class | Process Termination (BYOVD) |
| Exploited ITW | No |
| Vendor | Safetica (DLP solution) |
Context
Safetica is a Data Loss Prevention (DLP) product, not a traditional antivirus. Its kernel driver, STProcessMonitor.sys, monitors process activity as part of its data protection enforcement. Like many security product drivers, it includes the ability to terminate processes from kernel mode. And like too many of them, it fails to restrict who can invoke that capability.
The driver sits in a category that has become one of the most exploited in the BYOVD landscape: legitimate security product drivers that expose process termination IOCTLs without caller validation. In the KernelSight corpus, this same pattern appears in viragt64.sys (Kasseika ransomware), CVE-2025-68947 (Reynolds ransomware), EnPortv.sys (pre-ransomware EDR killer), and CVE-2024-51324 (Baidu driver). The pattern is consistent: a signed kernel driver with a process kill IOCTL, no access control, deployed by attackers to disable EDR.
Root Cause
STProcessMonitor.sys exposes an IOCTL that terminates arbitrary processes with no validation of the caller's identity or privileges. Any user-mode process that can open the device handle can send a PID and have the corresponding process killed from kernel mode. The kernel-level termination bypasses user-mode protections, PPL flags, and ObRegisterCallbacks hooks that EDR products use to protect themselves.
The driver is signed with a valid Safetica certificate, meaning Windows Driver Signature Enforcement permits loading on any system. It is not currently on the Microsoft Vulnerable Driver Blocklist.
Exploitation
The BYOVD workflow is minimal. The attacker drops the signed STProcessMonitor.sys to disk, creates a kernel service to load it, opens the device handle, and sends process termination IOCTLs for each security product process. The driver's signing means no administrator interaction is required beyond initial service creation (which requires local admin, already assumed in BYOVD scenarios). Once security software is disabled, the attacker deploys their primary payload.
Exploitation Primitive
Load signed STProcessMonitor.sys --> open device handle
--> send process termination IOCTL --> kill EDR/AV
Broader Significance
The Safetica driver has not been observed in active attacks yet, but it follows the exact template that has been weaponized repeatedly. The fact that it remains loadable and is not on the blocklist makes it a candidate for future BYOVD campaigns. DLP products are particularly interesting to attackers because they are less commonly monitored for BYOVD abuse than traditional antivirus drivers, and their driver signing certificates may receive less scrutiny.